Re: Specification-based Anomaly Detection

From: Thomas Ptacek (tqbf_at_arbor.net)
Date: 01/05/05

  • Next message: Chris Mills: "Re: Intrushield vs. ISS once more..." 
    Date: Wed, 5 Jan 2005 09:58:59 -0500
To: Roberto Perdisci <roberto.perdisci@gmail.com>

    A bunch of products do this. Their vendors listen on the list and
    they'll chime in shortly.

    However, ask yourself whether this is really a good idea.

    What makes you think that information about supposed RFC violations on
    your network will be actionable? Most people don't find information
    about supposed malicious traffic to be genuinely actionable. I'm not
    aware of any evidence, not even anecdotal, of new vulnerabilities being
    discovered by anomaly detection systems of any stripe.

    And I'm saying this while associated with the industry leader in
    anomaly detection.

    There are things anomaly techniques are very well suited for. Worms,
    policy violations, DoS attacks, and in particular attack mitigation.
    Replacing signature IDS is not one of those things.

    On Jan 3, 2005, at 12:59 PM, Roberto Perdisci wrote:

    > some techniques, e.g. Finite State Automaton, to find out anomalies
    > during a client-server command/respose session (e.g. FTP, HTTP, SMTP,
    > etc...). The FSA, or conceptually equivalent models, should be
    > implemented following the protocol specifications (RFC) and it would
    > 

    ---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Chris Mills: "Re: Intrushield vs. ISS once more..."

    Relevant Pages

    • RE: Specification-based Anomaly Detection
      ... I agree that anomaly detection is a new-comer to IDS, ... the main disadvantage of signatures is zero day ... the significance of zero day attacks is way ...
      (Focus-IDS)
    • Re: Snort implementation question?
      ... every IDS remains vulnerable to the attacks in the ... Thomas H. Ptacek // Product Manager, Arbor Networks ...
      (Focus-IDS)
    • RE: Intrusion Prevention
      ... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ...
      (Focus-IDS)
    • RE: Changes in IDS Companies?
      ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verification.
      ... on this list - and other IDS lists - for the means to test their IDS ... When I say we use IDS Informer for our signature recognition testing, ... should point out that we do NOT use all the default attacks! ... (IIS attacks run against Apache web servers on Unix - "real ...
      (Focus-IDS)