Re: IPS comparison

• Previous message: Billy Dodson: "RE: Cisco IDS - RDEP client - Export data?"
• In reply to: Sanjay Rawat: "Re: IPS comparison"
• Next in thread: Sanjay Rawat: "Re: IPS comparison"
• Reply: Sanjay Rawat: "Re: IPS comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Sanjay Rawat <sanjayr@intoto.com>
Date: Fri, 09 Sep 2005 12:48:39 -0500

On Thu, 2005-09-08 at 11:06 +0530, Sanjay Rawat wrote:
> the points which you raised are correct, but this is the underline
> assumption that you have CLEAN attack-free data to train your anomaly IDS.
> in the example, which you put, you need to ensure that your new host
is not
> compromised.

Well of course. I would hope that you can control your environment
enough so that you have an attack-free "window" where you can define, or
let it learn, the profile of "known good" traffic.

> Also, from time to time, you need to update the learning by
> putting your IDS in learning/training mode. In fact, such things are main
> barriers in deploying anomaly based IDS.

I disagree with that. If you retrain your anomaly based IDS on a
periodic bases, you will pollute your "known good" profile. Instead, I'd
suggest you retrain it whenever you made infrastructure changes and have
expected traffic present that deviate from the "normal" profile. Then
the IDS will adjust to the "new normal" traffic flow.

If you don't make any changes to the environment, I would not retrain
the IDS. So your "from time to time" action should be trigger by known
events (known host/traffic changes) and not blindly on a periodic
basis.

Cheers,
Frank

-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: Billy Dodson: "RE: Cisco IDS - RDEP client - Export data?"
• In reply to: Sanjay Rawat: "Re: IPS comparison"
• Next in thread: Sanjay Rawat: "Re: IPS comparison"
• Reply: Sanjay Rawat: "Re: IPS comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: UCLA student tazered in library ... IDs. ... it's fine to tazer someone for not identifying himself? ... and refusing to leave. ... Tasing his ragged ass is probably pretty forgivable, given his profile. ... (rec.martial-arts) Which formula? ... I have two column of IDs that I ... row to the second row to see first if it exists and then if not, ... advice or guidance you can provide is greatly ... ExcelN00B06's Profile: http://www.excelforum.com/member.php?action=getinfo&userid=33576 ... (microsoft.public.excel.worksheet.functions) Re: Replacing a number value with text from array ... and the list of IDs is in A1:A100 ... and drag down the formula ... I need to be able to replace customer ID numbers with the customer name ... JB1981's Profile: ... (microsoft.public.excel.worksheet.functions) Re: IPS comparison ... >> barriers in deploying anomaly based IDS. ... >suggest you retrain it whenever you made infrastructure changes and have ... some "incremental learning algorithm", you need not to worry about loosing ... INTOTO Software (India) Private Limited ... (Focus-IDS)