RE: How do behavioral/anomaly detection systems learn?

["Tarek Amr Abdullah" <tabdullah () salec com eg>]

Hi Sasha,

The signature based IDSs/IDPs are used to match a specific string or so
in the packets. It is somehow like, you know the rules you put in your
Outlook in order to file different mails accourding to the senders's
email, a word in the mail header, or a word in the mail body.

While protocol anomaly IDSs/IDPs uses another technique to detect the
attacks. They as some how statistical based. The captures packets from
the network and store them in a database. And then transform these info
(number of pakets per protocol, number of packets per specific source
address, etc) from the time domain to the frequency domain. I think this
is done via some fourier transform techniques or so. These info is then
sent to a Fuzzy logic module (It works like Neural Networks or so). It
is put in the network to learn its normal behavior, and then when there
is an attack the neural network module will dettect a variation (May be
the mean, and standard deviation, etc.) 

Hope this will be helpful to you.
Any ways, if anyone has some white papers to descuss this into more the
technical details it will be very greatful to send them.

Best Regards,

-----Original Message-----
From: Sasha Romanosky [mailto:sasha_romanosky () yahoo com] 
Sent: Thursday, February 05, 2004 8:18 AM
To: focus-ids () securityfocus com
Subject: How do behavioral/anomaly detection systems learn?


Greetings, 

In regards to "behavioral" or "anomaly" detection systems vs. pure
signature-based detection systems, I'm trying to understand how these
behavioral technologies differentiate "good" traffic from "bad" traffic.
I don't want to get into which is better, because they both have their
place, of course. What I'm trying to understand is how these behavioral
systems work, or "learn". 

I have seen that this technique is not unique to intrusion detection
systems, but also appears in application firewalls (e.g. Teros) and
email virus scanners (e.g. using bayesian filtering). 

With some products, I see that you configure them with specific rules,
tailored to your particular environment, and with other products, you
just point it to the network and it creates a profile all by itself. 

Does this simply amount to another form of signature system, just with
more intelligent signatures? Or is it more complex than this?.

Any references (whitepapers, archives, sites, etc) explaining this
learning would be most appreciated.


Cheers,
Sasha Romanosky


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------