anomaly IDS ideas ?

hello,
im a computer science student and i have to do my graduation project
next
semester, i want to do it on anomaly IDS's. i have searched the
internet and
found little on that subject,here are my ideas on how to implement a
network
anomaly IDS,please correct me where im wrong or if u have any other
references or ideas i would be happy to hear from you:
the IDS will have 2 stages;first it will study the network traffic and
build
some kind of a database that keeps what should be marked as 'safe' and
after
collecting enough information it should start running and issue alerts
when
anomalies happen(network data will be compared to the database built in
the
first stage),this is the data im going to collect:
1-information about each hostname,IP address,and MAC address.(i think
this
should stop ARP Poisoning attacks by comparing later traffic to the
database
of MAC addresses associated with IP addresses)
2-ports open on each host and ports that each host connects to.the IDS
should issue an alert if the host opens a port which wasnt open before
or
tries to connect to a new port; with this i think that exploits that
use
bind or connectback shellcode should be stopped.
3-times each host uses the network and which usernames it uses to
connect to
network resources; this should enable the IDS to detect if someone else
is
using the computer or using a different username.

this is it :) i know that this is not near enough and that is why im
sending
this email, for example if someone uses an upload/exec shellcode in an
exploit i dont think that the IDS will detect it, or if a trojan
connects to
a common port(for example port 80) the IDS won't notice it.
another thing i want is to minimize false positives,which is an
important
thing.the main aim of the IDS will be to stop 0day attacks from
happening,
so if anyone has any ideas or any references i would really appreciate
it.
thank you,


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: anomaly IDS ideas ?
    ... Check www.cfengine.org, it is not an IDS, but may bring to you some ... anomalies happen(network data will be compared to the database built in ... 2-ports open on each host and ports that each host connects to.the IDS ... should issue an alert if the host opens a port which wasnt open before ...
    (Focus-IDS)
  • Re: anomaly IDS ideas ?
    ... anomalies happen(network data will be compared to the database built in ... 2-ports open on each host and ports that each host connects to.the IDS ... should issue an alert if the host opens a port which wasnt open before ...
    (Focus-IDS)
  • Re: IDS evaluations procedures
    ... "All IDS devices are subject to large numbers of false positives, ... why if you're making a new investment you should consider IPS technology, ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ...
    (Focus-IDS)
  • RE: IDS evaluations procedures
    ... An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com this will stop a significant proportion of HTTP noise before signature matching. ... Conversely with IDS you just don’t have the ability to white list traffic in this way, I guess you could RST any request that didn’t match the URL but I think fragmented buffer overflows and the like could sneak through - so it’s risky. ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ...
    (Focus-IDS)
  • Re: IDS evaluations procedures
    ... > have spent a lot of time working with IPS in an IDS orientated company. ... > signatures based on known attack vectors but only on the ... Traffic-based anomalies? ...
    (Focus-IDS)