Re: Specification-based Anomaly Detection

From: Stefano Zanero (zanero_at_elet.polimi.it)
Date: 01/20/05

  • Next message: Adam Powers: "Re: Specification-based Anomaly Detection" 
    Date: Thu, 20 Jan 2005 22:05:42 +0100
To: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>

    Kohlenberg, Toby wrote:

    > Right, I got that. But so long as you aren't encrypting the traffic, I
    > can dissect it. I won't always get the fragmentation right but I can
    > probably figure out the application if I look.

    You will. That's my point, actually, you can do anomaly detection
    without knowing in advance which traffic matches to which app ;)

    >>That's something that the algorithm we have developed can recognize ;)
    >
    > Yes, but not by looking at IP/port pairs. You'll need more detail than
    > that.

    You don't need that (it would be too easy ;). You just need the packet
    payloads, most of times. 

    -- 
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student
Politecnico di Milano - Dip. Elettronica e Informazione
Via Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-3660
Fax.    +39 02 2399-3411
E-mail: zanero@elet.polimi.it
Web:    www.elet.polimi.it/upload/zanero
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Adam Powers: "Re: Specification-based Anomaly Detection"
    Loading