IDS mailing list archives
RE: How do behavioral/anomaly detection systems learn?
From: "Tarek Amr Abdullah" <tabdullah () salec com eg>
Date: Thu, 5 Feb 2004 10:10:23 +0200
Hi Sasha, The signature based IDSs/IDPs are used to match a specific string or so in the packets. It is somehow like, you know the rules you put in your Outlook in order to file different mails accourding to the senders's email, a word in the mail header, or a word in the mail body. While protocol anomaly IDSs/IDPs uses another technique to detect the attacks. They as some how statistical based. The captures packets from the network and store them in a database. And then transform these info (number of pakets per protocol, number of packets per specific source address, etc) from the time domain to the frequency domain. I think this is done via some fourier transform techniques or so. These info is then sent to a Fuzzy logic module (It works like Neural Networks or so). It is put in the network to learn its normal behavior, and then when there is an attack the neural network module will dettect a variation (May be the mean, and standard deviation, etc.) Hope this will be helpful to you. Any ways, if anyone has some white papers to descuss this into more the technical details it will be very greatful to send them. Best Regards, -----Original Message----- From: Sasha Romanosky [mailto:sasha_romanosky () yahoo com] Sent: Thursday, February 05, 2004 8:18 AM To: focus-ids () securityfocus com Subject: How do behavioral/anomaly detection systems learn? Greetings, In regards to "behavioral" or "anomaly" detection systems vs. pure signature-based detection systems, I'm trying to understand how these behavioral technologies differentiate "good" traffic from "bad" traffic. I don't want to get into which is better, because they both have their place, of course. What I'm trying to understand is how these behavioral systems work, or "learn". I have seen that this technique is not unique to intrusion detection systems, but also appears in application firewalls (e.g. Teros) and email virus scanners (e.g. using bayesian filtering). With some products, I see that you configure them with specific rules, tailored to your particular environment, and with other products, you just point it to the network and it creates a profile all by itself. Does this simply amount to another form of signature system, just with more intelligent signatures? Or is it more complex than this?. Any references (whitepapers, archives, sites, etc) explaining this learning would be most appreciated. Cheers, Sasha Romanosky ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 04)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Konrad Rieck (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? david maynor (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Ravi (Feb 08)
- <Possible follow-ups>
- Re: How do behavioral/anomaly detection systems learn? Jason Anderson (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Mariusz Burdach (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)