IDS mailing list archives
Re: How do behavioral/anomaly detection systems learn?
From: Ravi <ravivsn () roc co in>
Date: Mon, 09 Feb 2004 09:50:44 +0530
Hi, Many of recent IDS/IPS systems support mainly three kinds of detection andprotection. They are -- Pattern based -- Traffic anomaly -- Protocol anomaly.
iGateway-InlineIPS product from Intoto provides all of above detection methods. One thing which I liked in that product is their Manager. It displays comprehensivelog information and provides a way to tune the rules from 'log' screens.
Rules can be tuned to have alerts generated based on packets/time, bytes/time, session/time and can be tuned with Time, apart from having 5 tuple parameters. Thereby, for a given host/server/network and during some periods of time, the trafficparameters can be tuned to generate alerts.
As part of protocol anomaly, many of IDS/IPS systems provide application intelligence to detect RFC and implementation anomalies. This is one of the best ways to detectbuffer overflows.
Regards Ravi Rendezvous On Chip (I) Pvt Ltd INDIA Sasha Romanosky wrote:
Greetings,In regards to "behavioral" or "anomaly" detection systems vs. pure signature-based detection systems, I'm trying to understand how these behavioral technologies differentiate "good" traffic from "bad" traffic. I don't want to get into which is better, because they both have their place, of course. What I'm trying to understand is how these behavioralsystems work, or "learn".I have seen that this technique is not unique to intrusion detection systems, but also appears in application firewalls (e.g. Teros) andemail virus scanners (e.g. using bayesian filtering).With some products, I see that you configure them with specific rules, tailored to your particular environment, and with other products, youjust point it to the network and it creates a profile all by itself.Does this simply amount to another form of signature system, just with more intelligent signatures? Or is it more complex than this?. Any references (whitepapers, archives, sites, etc) explaining this learning would be most appreciated. Cheers, Sasha Romanosky --------------------------------------------------------------------------- ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 04)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Konrad Rieck (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? david maynor (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Ravi (Feb 08)
- <Possible follow-ups>
- Re: How do behavioral/anomaly detection systems learn? Jason Anderson (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Mariusz Burdach (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)