Re: IDS vs Application Proxy Firewal

Omar Herrera wrote:

Anomaly detection in the end is still a form of blacklisting.

No, actually, it isn't. It's the contrary of it, by definition.

Even if
you use general patterns instead of specific ones, you are still doing a
match against activity that is known to be bad

Then it is misuse detection, and not anomaly detection. You may wish to
refer to Bace's work on intrusion detection for quickly getting to speed
with modern research on the area.

introduce higher false postive rates as well. No research will make
anomaly detection a better alternative than white lists (from an
effectiveness point of view),

You mean, except for the fact that whitelisting, except in some very
specific setting, is not a viable approach to manage complex information
systems ?

everything else. Within http traffic you can't block all requests, but
businesses and individuals might know the characteristics of good inputs
and outputs and filter accordingly.

Businesses and individuals do not know anything of the kind. Otherwise,
well, they would be doing what you suggest :)

Anomaly detection is all about learning automatically "whitelists" of
normal activities.

I will jump your examples, as they are actually excellent examples of
why manually created whitelists are completely unusable in any modern

Sure, some anomaly detection devices try to learn from the environment
what is good and bad.

ANY anomaly detector will do that.

In practice you will get only information on what
is significantly (e.g. statistically) different from the point where you
took your measures.

No, this is not true. You evidently don't know most of the recent
research on the subject (which is what Damiano, and I incidentally, tend
to do for a living :) )

Bad things that happened at the time of measurement
might be legitimized, new good things might be marked as bad.

These are problems that have been widely studied. To claim there's no
way around them is false.

Security departments has no excuse to not white list these days in my

Except having an actual, real world network to run, you mean ?

White listing is a naive approach, which is perfect only in a very
limited setting of drones all doing the same things. In a modern network
of empowered users it won't hold for a second.


Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.