Re: Specification-based Anomaly Detection

From: David Barroso (dbarroso_at_s21sec.com)
Date: 01/11/05

  • Next message: Gadi Evron: "Re: ForeScout ActiveScout"
    Date: Tue, 11 Jan 2005 10:52:43 +0100
    To: Stefano Zanero <zanero@elet.polimi.it>
    
    

    * Stefano Zanero (zanero@elet.polimi.it) wrote:

    [...]

    > >2. Correlation - another important aspect of application layer attacks
    > >is that they are not encapsulated in a single packet. Correlation
    > >enables us to both correlated different anomalies to generate more
    > >meaningful events and to follow longer term attacks.
    >
    > Yes, but still not automatically - you just give the analyst more
    > material to read ;)

    But not the global information from the 'big' attack scenario. By only correlating
    the packets that go through the network we miss another important source of
    information: the logs. IMHO, anomaly detection should mix the data taken from
    the network and the data taken from the logs; combining both events would
    definitely decrease the amount of false positives, and of course, would help
    to detect any not-known attack.

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Gadi Evron: "Re: ForeScout ActiveScout"

    Relevant Pages

    • Re: Videotaped "Knockout Game" Attack On Elderly Woman
      ... My point was, of course, that you may have found a correlation, but correlations are a dime a dozen. ... frequency that knockout attacks occur, what is the ratio of black on ... One reason you are inclined to do that is because only Big Government can solve these enormous problems, ...
      (rec.gambling.poker)
    • RE: What defines an "incident"? - Part 2
      ... <Is the correlation between a place and time required? ... Subject: What defines an "incident"? ... Incident - A group of attacks that can be distinguished from other ... confirmed by letter or fax signed by a Partner of BDO. ...
      (Security-Basics)
    • Re: OT Obama opts out of public campaign finance system
      ... There were more attacks planned. ... We went into Iraq in '03. ... There's your correlation. ... if his lawn was a mess and the town ...
      (alt.autos.toyota)
    • RE: What defines an "incident"? - Part 2
      ... OK...makes sense regarding "incident" because it correlates to a place and time. ... Is the correlation between a place and time required? ... Incident - A group of attacks that can be distinguished from other ... signed by a Partner of BDO or it is subsequently confirmed by letter or fax ...
      (Security-Basics)