RE: Protocol Anomaly Detection IDS

["Adam Powers" <apowers () lancope com>]

I can hear a thunder of vendor postings coming on this one. I guess I'll
be the first.

Without killing you with marketing slop and sales hype, I'd like to
comment on anomaly versus behavior based systems.

StealthWatch is a behavior-based system. It uses a training process
coupled with a host profiling engine designed to build a behavioral
profile of network and host activity. An anomaly subsystem exists, but
it's only one component of the total solution. RFC conformity is played
down in favor of network policy conformity. Behavior based systems do
not see a specific RFC violation. They see a behavioral pattern that
doesn't fit the overall spectrum of "normal" network traffic.

The name of the game is knowledge empowerment. Instead of saying
"SQL_SSRP_StackBo", a behavior based system says "you have 1500 new
hosts from random Internet addresses sending your internal hosts 28Mb of
376 byte UDP datagrams on port 1434, is this okay?"

As we (the industry) move forward, we must continue to build and
research proactive security technologies. Our security devices must
provide information that helps recognize threats as they occur as well
as head off potential vulnerabilities before they're discovered. This is
the goal of a behavior based threat management system.

-Adam

-----Original Message-----
From: Michael L. Artz [mailto:dragon () october29 net] 
Sent: Tuesday, February 04, 2003 11:07 PM
To: focus-ids () securityfocus com
Subject: Protocol Anomaly Detection IDS

I am trying to supplement our existing signature based IDS (Snort, gotta

love open source) with a protocol anomaly based one in a fairly large 
enterprise network.  I am in the fairly early stages of research, so I 
guess that the first question would be, is it worth it?

I hear the anomaly detection buzzword thrown around a lot these days, 
and can't quite get past all the marketing hype.  From what I can tell, 
protocol anomaly detection seems to be the more promising than the 
statistical for detecting new or IDS-cloaked attacks.  However the 
notion of "conforming to RFCs" leaves a lot of leeway for the vendors to

play with.  How well do these types of systems actually work?

Does anyone have any recommendations as to which systems to look 
into/stay away from?  Below is a list of some of the ones that looked 
like they might support protocol anomaly detection from their marketing 
hype, let me know if I left any out/incorrectly added any:

Lancope Stealthwatch
Tipping Point/UnityOne
ISS RealSecure Guard
Cisco IDS 4250
CA/eTrust IDS
Intruvert Intrushield
NFR Network Intrusion Detection System
Netscreen/Onesecure IDP
Symantec ManHunt

Any clues or headstarts to get me pointed in the right direction would 
be great.

Thanks
-Mike