Re: normal behaviour definition
From: Sanjay Rawat (sanjayr_at_intoto.com)
Date: 10/07/05
- Previous message: Nakul Aggarwal: "Re: normal behaviour definition"
- Maybe in reply to: Nakul Aggarwal: "normal behaviour definition"
- Next in thread: Nakul Aggarwal: "Re: normal behaviour definition"
- Reply: Nakul Aggarwal: "Re: normal behaviour definition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 07 Oct 2005 11:30:24 +0530 To: Nakul Aggarwal <nakula@gmail.com>, focus-ids@securityfocus.com
There are two ways to get normal behavior:
1. you make sure that while capturing the data, no attack is being
launched. this is rather a costly assumption, as you need to ensure a
closed environment (like DARPA or some other data sets, available on NET).
2. It is assumed that normal to abnormal ratio is 100:5 (+-2) ( see the
work of Eskin, university of Columbia). therefore, if we see this data from
statistical point of view, abnormal data should be seen as outlier. in
other words, if you apply some statistical (or other DM/ML) techniques, you
should be able to filter outliers, thus abnormal traffic.
I hope it will give some insight.
Sanjay
At 11:41 AM 10/6/2005, Nakul Aggarwal wrote:
>Hi everyone,
>I am working on a project of behavioral anomaly detection. In some of
>the papers I read, authors talk about the difficulty of accurate
>definition of "normal" behavior but after that they either use
>standard data sets(MIT ones or KDD) or just say "first normal behavior
>was learnt and and then evaluations are performed."
>
>But how normal behavior was defined/learnt, that no-one tells. Can
>someone throw some light on this?
>
>Thanking You
>regards
>Nakul Aggarwal
>
>------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it
>with real-world attacks from CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>------------------------------------------------------------------------
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Nakul Aggarwal: "Re: normal behaviour definition"
- Maybe in reply to: Nakul Aggarwal: "normal behaviour definition"
- Next in thread: Nakul Aggarwal: "Re: normal behaviour definition"
- Reply: Nakul Aggarwal: "Re: normal behaviour definition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
