Firewall Wizards mailing list archives
Re: When to do something about detected attacks (was Re: how to do...)
From: Aleph One <aleph1 () dfw net>
Date: Wed, 15 Apr 1998 22:37:21 -0500 (CDT)
On Wed, 15 Apr 1998, Sheila Or Bob (depends on who is writing0 wrote:
Can we apply "data mining" techniques with some sort of security policy filter to the data we capture for an IDS? I think so. I think some products can do this.
There is actually a nice paper in the proceding of the last USENIX security symposium on this topic. "Data Mining Approaches for Intrusion Detection", Wenke Lee & Salvatore J. Stolfo. The provide two example of ways to use data mining techniques for intrusion dectection. The first uses system call traces as the data set. The second uses tcpdump output. They had some good results but just like AD system the alrgorithms must be trained to know what is "normal" or what is an atack signature.
thanks! bob -- real address is shsrms at erols dot com The Herbal Gypsy and the Tinker.
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Aleph One (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) tqbf (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 20)
- <Possible follow-ups>
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 22)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)