IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anomaly Based Network IDS

From: "Drew Simonis" <simonis () myself com>
Date: Fri, 18 Jun 2004 12:35:20 -0500

----- Original Message ----- 
From: Joe Dauncey 
Date: Fri, 18 Jun 2004 14:09:08 +0100 
To: focus-ids () securityfocus com 
Subject: Anomaly Based Network IDS 


Hi, 

I am interested in views on anomaly-based Network IDS. 

... 

I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing 
the network traffic and identifying anomalies on the norm, rather than relying on a specific external 
signature to tell it what to look for. 

I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every 
network environemtn, and could potentially generate a lot of false positives. 

I'm especially interested in anything that would claim to be able to detect a worm attack (and even 
prevent it) without knowing about it already - i.e. through a signature. 



You'll want to look at a couple of things.  First, there are protocol anomaly IDS, such as Symantec
Manhunt.  These detect deviations from published RFCs and report on that.  They can detect attacks
absent a signature, but are prone to false positives.  They take some tuning and decently skilled
analysts.

Second, (and I think what you seem to want) you'll want to look at profiling systems.  My favorite is
the aptly named "Profiler" by Mazu Networks.  It can, as you ask, detect worm activity absent any
information, and (a set apart feature from the others in this space, IMO) has a dynamic baseline.
I use it, and I like it.  

-Ds

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: