Re: IDS - DECISION SUPPORT SYSTEM

From: Augusto Paes de Barros (apbarros_at_gmail.com)
Date: 08/16/05

  • Next message: Jeff Dell: "Honeynet Security Console 2.5 Released"
    Date: Tue, 16 Aug 2005 13:26:18 -0300
    To: focus-ids@securityfocus.com
    
    

    Patrick,

    My suggestion is to use counters for several types of entities. Each
    IDS event will increment some counters with a given quantity,
    according to its severity. Then you use thresholds based on the
    pontuation of the entities in a given time interval. A entity that
    rises above the threshould triggers an alert and the events that
    caused the above-average pontuation are showed to the analyst for
    further investigation.

    Some good entities can be: hosts, networks, applications, users,
    protocols. You can improve the system by monitoring traffic with
    netflows and generating events for abnormal traffic, also based on
    thresholds.

    Regards,

    --
    Augusto Paes de Barros, CISSP-ISSAP(r)
    http://www.paesdebarros.com.br
    On 12 Aug 2005 05:18:36 -0000, trantichphuoc@yahoo.com
    <trantichphuoc@yahoo.com> wrote:
    > Hi There
    >
    > I am doing a project of applying data mining techniques to Intrusion Detection systems.
    >
    > I am also interested in DECISION SUPPORT SYSTEM (Note that this is decision SUPPORT system, not decision MAKING. So it does not make decision but SUPPORT the decision making process.). So I decide to have DECISION SUPPORT SYSTEM as a section of my project.
    >
    > The problem is that I dont know how to LINK Intrusion Detection to DECISION SUPPORT SYSTEM.
    >
    > I thought: IDS can detect possible THREATS and this helps Network Admin to make DECISION about the security level, or DO corrective ACTIONS.
    >
    > Can you give me some thoughts of HOW TO LINK/RELATE IDS to DECISION SUPPORT SYSTEM? In the other words, how IDS can be considered as a DECISION SUPPORT SYSTEM and are there any products relating to this topic in real world?
    >
    > Thanks
    >
    > Have a nice day
    >
    > Patrick Tran
    >
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: Jeff Dell: "Honeynet Security Console 2.5 Released"