IDS mailing list archives
Re: Suggestions
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Thu, 27 May 2004 17:33:30 -0500
I'm involved in the same sort of project and we're using the idea of a product from Q1 Labs called QRadar (www.q1labs.com) as our foundation and expanding upon it. It uses network behavioral/anomaly analysis to determine whether or not an attack or worm propagation is immanent. Unfortunately, it stops short because it focuses mainly on network traffic trends and only has limited packet analysis. One has to be able to monitor both network statistics as well as complete packets and TCP sessions. The problem with this is that it becomes a resource nightmare if you intend to track a large amount of TCP sessions for a lengthy amount of time. A true Hybrid solution would work best because you must have a way to determine whether or not the anomaly is a known or unknown threat. Obviously, the known threats will be identified by a signature. Once a signature matches it can be discarded and save resources. Analyzing the new, unknown anomaly is where the AI kicks in. When it detects an anomaly and starts analysis it has to determine whether it is in fact malicious activity or something like standard network performance issues. That in itself would almost have to be somewhat signature based on the backend somewhere in the AI algorithms wouldn't it? Another aspect we are looking at is how to develop the algorithms for detecting convoluted attacks such as worms or exploits that use polymorphic code. Any suggestions on that as well? -Clint ----- Original Message ----- Hi there, I am taking part in a research project on artificial inteligence, and my objective is to create a IDS (possibly hybrid), capable of detecting attacks never seeing before (by using some artificial inteligence algorithms). I would like to hear suggestions on which aspects of network trafiic should I focus on ... Thanks in advance. -- Thiago dos Santos Guzella Linux User #354160 UIN 13465286 --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Suggestions Thiago dos Santos Guzella (May 26)
- RE: Suggestions Rishi Pande (May 26)
- Re: Suggestions Stefano Zanero (May 26)
- Re: Suggestions whitty reeve (May 27)
- Re: Suggestions Clint Bodungen (May 28)
- Re: Suggestions Rishikesh Pande (May 31)
- <Possible follow-ups>
- RE: Suggestions (infor) urko zurutuza (May 28)
- RE: Suggestions Drew Copley (May 28)
- Re: Re: Suggestions Thiago dos Santos Guzella (May 29)
- Re: Suggestions Rishikesh Pande (May 31)