RE: question about anomalies detection

From: Rob Shein (shoten_at_starpower.net)
Date: 09/17/04

  • Next message: Volker Kindermann: "Re: Linux SuSe host base IDS." 
    To: "'Raj Malhotra'" <ral.mal@gmail.com>, <faisal99@inf.its-sby.edu>
Date: Thu, 16 Sep 2004 21:24:11 -0400

    Actually, this is just signature-based IDS, where you're rolling your own
    sigs. If you were to do anomaly-based IDS, you'd more likely be doing the
    logical inverse of this, where you would ignore the hostile traffic you
    generated and defined the rest of it as "normal," and therefore you'd define
    everything else as "suspicious." The whole appeal of anomaly-based
    detection is that it can theoretically notice attacks that nobody has ever
    heard of before, simply because it differs from what is "normal." And
    therefore, it doesn't matter what attacks you generate, since it learns the
    definition of "normal" rather than the definition of "hostile."

    > -----Original Message-----
    > From: Raj Malhotra [mailto:ral.mal@gmail.com]
    > Sent: Friday, September 03, 2004 2:13 AM
    > To: faisal99@inf.its-sby.edu
    > Cc: focus-ids@securityfocus.com
    > Subject: Re: question about anomalies detection
    >
    >
    > Hi
    >
    > > 1. To train the anomalies detection system, we must train the
    > > application with the normal profile. My question is how we get the
    > > normal profile, are they built by ourself or we try to get from our
    > > network dump data to be set as normal profile or we use the
    > prebuild
    > > data on the net(like the data on the Lincoln Lab Data?)
    >
    > You can do all the three. But i would like to do it as follows:
    > 1) assume that traffic on my LAN is clean.
    > 2) set-up a machine running tcpdump with "-w" option to keep logging
    > what ever goes on the LAN.
    > 3) use a linux box and run nmap with os finger printing
    > option on some target machines
    > on the same LAN.
    > 4) the tcpdump will have a mixture of normal traffic and
    > scans for OS finger printing
    >
    > look for features that are unique to OS fingerprinting (read how nmap
    > works) and try to use
    > k-nearest neighbour for classification.
    >
    > > 2. Is there any paper about SPADE(Snort Plugin), I've googling for
    > > sometimes but never found one.
    >
    > --------------------------------------------------------------
    > ------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world
    > attacks from CORE IMPACT. Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
    0708 to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Volker Kindermann: "Re: Linux SuSe host base IDS."
    • Quantcast