Re: IDS - DECISION SUPPORT SYSTEM

From: Augusto Paes de Barros (apbarros_at_gmail.com)
Date: 08/16/05

  • Next message: Jeff Dell: "Honeynet Security Console 2.5 Released"
    Date: Tue, 16 Aug 2005 13:26:18 -0300
    To: focus-ids@securityfocus.com
    
    

    Patrick,

    My suggestion is to use counters for several types of entities. Each
    IDS event will increment some counters with a given quantity,
    according to its severity. Then you use thresholds based on the
    pontuation of the entities in a given time interval. A entity that
    rises above the threshould triggers an alert and the events that
    caused the above-average pontuation are showed to the analyst for
    further investigation.

    Some good entities can be: hosts, networks, applications, users,
    protocols. You can improve the system by monitoring traffic with
    netflows and generating events for abnormal traffic, also based on
    thresholds.

    Regards,

    --
    Augusto Paes de Barros, CISSP-ISSAP(r)
    http://www.paesdebarros.com.br
    On 12 Aug 2005 05:18:36 -0000, trantichphuoc@yahoo.com
    <trantichphuoc@yahoo.com> wrote:
    > Hi There
    >
    > I am doing a project of applying data mining techniques to Intrusion Detection systems.
    >
    > I am also interested in DECISION SUPPORT SYSTEM (Note that this is decision SUPPORT system, not decision MAKING. So it does not make decision but SUPPORT the decision making process.). So I decide to have DECISION SUPPORT SYSTEM as a section of my project.
    >
    > The problem is that I dont know how to LINK Intrusion Detection to DECISION SUPPORT SYSTEM.
    >
    > I thought: IDS can detect possible THREATS and this helps Network Admin to make DECISION about the security level, or DO corrective ACTIONS.
    >
    > Can you give me some thoughts of HOW TO LINK/RELATE IDS to DECISION SUPPORT SYSTEM? In the other words, how IDS can be considered as a DECISION SUPPORT SYSTEM and are there any products relating to this topic in real world?
    >
    > Thanks
    >
    > Have a nice day
    >
    > Patrick Tran
    >
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >
    ------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    ------------------------------------------------------------------------
    

  • Next message: Jeff Dell: "Honeynet Security Console 2.5 Released"

    Relevant Pages

    • Re: [BULK] IDS - DECISION SUPPORT SYSTEM
      ... IDS, provided you can identify the true sources of data wherein attacks ... >I am doing a project of applying data mining techniques to Intrusion ... >decision SUPPORT system, not decision MAKING. ...
      (Focus-IDS)
    • Re: IDS - DECISION SUPPORT SYSTEM
      ... Try to search for expert systems that are used for correlating intrusion ... IDS - DECISION SUPPORT SYSTEM ...
      (Focus-IDS)
    • IDS - DECISION SUPPORT SYSTEM
      ... The problem is that I dont know how to LINK Intrusion Detection to DECISION SUPPORT SYSTEM. ... IDS can detect possible THREATS and this helps Network Admin to make DECISION about the security level, ...
      (Focus-IDS)
    • Re: [PATCH] perf_counter: Always return the parent counter id to userspace
      ... userspace only knows about the parent ids we need to return them ... and not the actual ids. ... Its impossible to readanything but the parent counter, ... For inherited counters we send all the output towards the parent. ...
      (Linux-Kernel)