Re: IPS comparison
From: Stefano Zanero (s.zanero_at_securenetwork.it)
Date: 08/30/05
- Previous message: Sanjay Rawat: "Re: IPS comparison"
- In reply to: Sanjay Rawat: "Re: IPS comparison"
- Next in thread: Ron Gula: "Re: IPS comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Aug 2005 09:58:32 +0200 To: Sanjay Rawat <sanjayr@intoto.com>, Focus-Ids Mailing List <focus-ids@securityfocus.com>
Sanjay Rawat wrote:
> Hi Stefano:
> I got confused over one comment made by you: "First hint of the day: if
> there is a regexp there, it's NOT anomaly
> detection." why it is so? I can use association or frequent episode
> rules to capture normal behavior (you know this), and I can use regexp
> to represent such rules.
Let me rephrase my comment then:
"If there is a GIVEN SET of regexp there, it's not anomaly detection"
If you create an induction algorithm for GENERATING a set of rules
describing normal behavior, you are creating an anomaly detection
system; if you instead give your customer a predefined set of rules to
match his traffic against, you cannot be far away from simple "protocol
anomaly detection" systems.
Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Sanjay Rawat: "Re: IPS comparison"
- In reply to: Sanjay Rawat: "Re: IPS comparison"
- Next in thread: Ron Gula: "Re: IPS comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
