Dailydave mailing list archives
Re: Encrypted Malware Traffic Detection == hilarious?
From: Thorsten Holz <thorsten.holz () gmail com>
Date: Wed, 21 Jun 2017 20:33:33 +0200
On Wed, Jun 21, 2017 at 4:25 PM, dave aitel <dave () immunityinc com> wrote:
99% effective with the kind of traffic a normal network sees means you are FLOODED AND OVERWHELMED WITH FALSE POSITIVES. Although they don't specify what that number even means. Is it false positives? False negatives? Both? Let's just say this: 99.99% is useless when doing a network-based IDS.
More details are available in a technical report: https://arxiv.org/pdf/1607.01639.pdf Starting on page 8, the evaluation is explained in more detail. 99% reflects the accuracy, but the 1-in-10,000 false discovery rate (FDR) is much lower even in their tests. Furthermore, all these results were obtained in synthetic tests where the ratio of malicious traffic to benign traffic was almost 1:1 ("In total, there were 225,740 malicious and 225,000 enterprise flows for this experiment")... Cheers, Thorsten
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Encrypted Malware Traffic Detection == hilarious? dave aitel (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Dominique Brezinski (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Dave Aitel (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Thorsten Holz (Jun 21)
- Re: Encrypted Malware Traffic Detection == hilarious? Jim Bieda (Jun 25)
- Re: Encrypted Malware Traffic Detection == hilarious? Robert Graham (Jun 25)
- Re: Encrypted Malware Traffic Detection == hilarious? Dominique Brezinski (Jun 21)