Re: Specification-based Anomaly Detection

• Previous message: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• In reply to: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• Next in thread: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 11 Jan 2005 10:52:43 +0100
To: Stefano Zanero <zanero@elet.polimi.it>

* Stefano Zanero (zanero@elet.polimi.it) wrote:

[...]

> >2. Correlation - another important aspect of application layer attacks
> >is that they are not encapsulated in a single packet. Correlation
> >enables us to both correlated different anomalies to generate more
> >meaningful events and to follow longer term attacks.
>
> Yes, but still not automatically - you just give the analyst more
> material to read ;)

But not the global information from the 'big' attack scenario. By only correlating
the packets that go through the network we miss another important source of
information: the logs. IMHO, anomaly detection should mix the data taken from
the network and the data taken from the logs; combining both events would
definitely decrease the amount of false positives, and of course, would help
to detect any not-known attack.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• In reply to: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• Next in thread: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]