IDS mailing list archives
RE: How do behavioral/anomaly detection systems learn?
From: "Mariusz Burdach" <M_Burdach () compfort pl>
Date: Thu, 5 Feb 2004 10:00:41 +0100
Hi, Anomaly detection can be performed by security tools on the following layers in the TCP/IP model (internet, transport and application). I suggest to look closer at Spade - this is the snort plugin added now to every version of Snort. Spade is developed by Silicon Defense (so some of information can be found here: www.silicondefense.com - also look at references in Spade documentation) . Spade is a Statistical Packet Anomaly Detection Engine with Bayesian probabilistic applied . Bayesian networks are used to learn a long-term profile of normal activities in a network system and to detect deviations of the observed activities from the norm profile. The other kind of anomaly detection is applied to Symantec ManHunt. - anomaly on network/transport layers (detection of packet fragmentation (IP and TCP packets), detection of DoS attacks - by counting SYN packets and SYN/ACK packets, etc) - anomaly on application layer (detection of incorrect use of particular protocol - let's say that an intruder connects to web server and generate the following request: $ telnet web_server 80 GET / <-----this request is incomplete. So the system will detect it as anomaly - because this request is not correct against HTTP specification described in RFC. Of course someone can say, that this is not anomaly because IDS has implemented RFC rules. The other example of anomaly detection on application layer is behavior of users. We know that the users usually log in to the server from workstations from certain domain in known hours (8 a.m - 4 p.m.). If the user log in to the server from the other domain or at night - this is anomaly - and we should look closer at this kind of events. I also suggest to look at Reading Room on SANS portal and articles published by Security Focus. Regards, Mariusz Burdach -----Original Message----- From: Sasha Romanosky [mailto:sasha_romanosky () yahoo com] Sent: Thursday, February 05, 2004 7:18 AM To: focus-ids () securityfocus com Subject: How do behavioral/anomaly detection systems learn? Greetings, In regards to "behavioral" or "anomaly" detection systems vs. pure signature-based detection systems, I'm trying to understand how these behavioral technologies differentiate "good" traffic from "bad" traffic. I don't want to get into which is better, because they both have their place, of course. What I'm trying to understand is how these behavioral systems work, or "learn". I have seen that this technique is not unique to intrusion detection systems, but also appears in application firewalls (e.g. Teros) and email virus scanners (e.g. using bayesian filtering). With some products, I see that you configure them with specific rules, tailored to your particular environment, and with other products, you just point it to the network and it creates a profile all by itself. Does this simply amount to another form of signature system, just with more intelligent signatures? Or is it more complex than this?. Any references (whitepapers, archives, sites, etc) explaining this learning would be most appreciated. Cheers, Sasha Romanosky ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 04)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Konrad Rieck (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? david maynor (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Ravi (Feb 08)
- <Possible follow-ups>
- Re: How do behavioral/anomaly detection systems learn? Jason Anderson (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Mariusz Burdach (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)