Re: Specification-based Anomaly Detection

From: Adam Powers (apowers_at_lancope.com)
Date: 01/20/05

  • Next message: Tod Beardsley: "Re: About IPS testing" 
    Date: Wed, 19 Jan 2005 23:43:11 -0500
To: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>, "(infor) urko zurutuza" <uzurutuza@eps.mondragon.edu>, Stefano Zanero <zanero@elet.polimi.it>

    I tend to agree that claming something as "ground breaking" or
    "revolutionary" is irritating beyond all belief. Reminds me of every press
    release from every technology vendor you'll ever read which almost always
    starts with "Company X, the *leader* in product sector Y, today
    announced..." even when they really aren't leading anything. Funny stuff.

    Anyway, where you and I perhaps diverge is on the topic of actual
    implementation. Sure, lots of people have "ideas". "Ideas" have been around
    since the damn of mankind... The real winners are oft those that not only
    have ideas, but also translate those ideas (or the ideas of others) into
    working solutions.

    As anomaly detection technologies go, few (if any) companies have actually
    delivered on any of these age old "ideas". Those that have (Lancope, Arbor,
    Q1Labs) perhaps shouldn't claim to be revolutionary but rather dramatically
    evolutionary.

    -Adam

    On 1/18/05 6:21 PM, "Kohlenberg, Toby" <toby.kohlenberg@intel.com> wrote:

    > I don't see it as being fussy, I see it as being a clear and
    > serious gap in the awareness of the history of intrusion detection.
    > Whenever I talk to vendors or researchers (on any topic) I expect
    > them to know at least as much about their product space as I do
    > (I'm a generalist, if I know it, a specialist damn well better).
    >
    > I don't know about anyone else, but I'm sick of seeing ideas that
    > have been around for 20 years touted as "ground breaking!" or
    > "revolutionary!".
    >
    > t
    >
    >> -----Original Message-----
    >> From: (infor) urko zurutuza [mailto:uzurutuza@eps.mondragon.edu]
    >> Sent: Monday, January 17, 2005 7:47 AM
    >> To: Stefano Zanero; Kohlenberg, Toby
    >> Cc: Ofer Shezaf; focus-ids@lists.securityfocus.com
    >> Subject: RE: Specification-based Anomaly Detection
    >>
    >> Don't be so fussy! I agree with Stefano, the big IDS
    >> trademarks as Cisco, ISS, NFR, Intrusion or Dragon have just
    >> started offering a little bit of real anomaly detection (using
    >> AI instead of signatures!), even if we know that network
    >> anomaly detection is almost 15 years old in the research
    >> comunity (I think the first was NADIR (Network Anomaly
    >> Detector and Intrusion Reporter, of Los Alamos National
    >> Laboratory in 1990).
    >>
    >> __________________________________________________
    >> MONDRAGON UNIBERTSITATEA
    >> Urko Zurutuza
    >> Dpto. Informática
    >> Loramendi 4 - Aptdo.23
    >> 20500 Arrasate-Modragon
    >> Tel. +34 943 739636 // +34 943 794700 Ext.297
    >> www.eps.mondragon.edu
    >> uzurutuza@eps.mondragon.edu
    >>
    >>
    >>
    >>> -----Mensaje original-----
    >>> De: Stefano Zanero [mailto:zanero@elet.polimi.it]
    >>> Enviado el: jueves, 13 de enero de 2005 21:14
    >>> Para: Kohlenberg, Toby
    >>> CC: Ofer Shezaf; focus-ids@lists.securityfocus.com
    >>> Asunto: Re: Specification-based Anomaly Detection
    >>>
    >>> Kohlenberg, Toby wrote:
    >>>
    >>>>> - and that anomaly detection (in particular techniques
    >> which are not
    >>>>> rate-based) is a relative "newcomer" in the COMMERCIAL field of
    >>>>> intrusion detection, where most of the products are built
    >>> on a misuse
    >>>>> detection approach.
    >>>>
    >>>> Really? What would you call CMDS? Which was a commercial
    >>> system that
    >>>> used anomaly detection by building user profiles and was available
    >>>> from ODS in the mid-90s?
    >>>
    >>> My omission here: I meant NETWORK intrusion detection, as we
    >>> were talking about NIDS in those posts. Commercial anomaly
    >>> detection systems exist.
    >>>
    >>> --
    >>> Cordiali saluti,
    >>> Stefano Zanero
    >>> Dottorando di Ricerca / Ph.D. Student
    >>>
    >>> Politecnico di Milano - Dip. Elettronica e Informazione Via
    >>> Ponzio, 34/5 I-20133 Milano - ITALY
    >>> Tel. +39 02 2399-3660
    >>> Fax. +39 02 2399-3411
    >>> E-mail: zanero@elet.polimi.it
    >>> Web: www.elet.polimi.it/upload/zanero
    >>>
    >>> --------------------------------------------------------------
    >>> ------------
    >>> Test Your IDS
    >>>
    >>> Is your IDS deployed correctly?
    >>> Find out quickly and easily by testing it with real-world
    >>> attacks from CORE IMPACT.
    >>> Go to
    >>> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >>> to learn more.
    >>> --------------------------------------------------------------
    >>> ------------
    >>>
    >>>
    >>
    >> ---------------------------------------------------------------
    >> -----------
    >> Test Your IDS
    >>
    >> Is your IDS deployed correctly?
    >> Find out quickly and easily by testing it with real-world attacks from
    >> CORE IMPACT.
    >> Go to
    >> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >> to learn more.
    >> ---------------------------------------------------------------
    >> -----------
    >>
    >>
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    > 

    -- 
Adam  Powers
Senior Security Engineer
Advanced  Technology Group
c. 678.725.1028
o. 770.225.6521
f. 770.225.6501
e. apowers@lancope.com
AOL IM:  adampowers22
StealthWatch by Lancope - Security  through network intelligence
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Tod Beardsley: "Re: About IPS testing"