IDS mailing list archives

Re: question about anomalies detection

From: "Srinivasa Rao Addepalli" <srao () intoto com>
Date: Fri, 3 Sep 2004 13:04:19 -0700

Traffic Anomaly engine works as good as definition of 'normal' profile.
So, it is necessary that system should be capable of learning and creating the profile.
IDS/IPS systems also should be capable of manually tuning the profile to reduce
false positives.

IDS/IPS Systems would normally provide following facilities.

1. System should provide facility to create rules for learning the traffic characterstics.
    Rules can contain Server IP address, Network, Service or combination of these.
    It also should contain any application information such as HTTP URLs etc..

2. Learning System:  Should be capable of intrepreting the logs generated by Sensors for
    a given period of time and generate profile with the information collected for the
    rules given to the learning system. 

3. User can tune the profile and uploads these profiles onto Sensors.

4.  Sensors, then onwards enforce this profile and generate anomaly indications, if 
     the behaviour is outside the definition of profile. As part of enforcement, IDS/IPS systems
     also provide notification to administrator or block the traffic.

In future, I would expect more and more research going in learning system and auto-tuning
the profile over the time. 

Following is very common list, that is learnt by many of current generation IDS/IPS products.
In future, I would expect that this list grows.

-  Number of connections, Packet, bytes on per Service/Network/Server basis in a given
    period.
- The URLs/Methods which are accessed on WebServer in a given period.

I hope this helps.
Srini
Intoto Inc.
www.intoto.com
----- Original Message ----- 
From: <faisal99 () inf its-sby edu>
To: <focus-ids () securityfocus com>
Sent: Wednesday, September 01, 2004 12:31 AM
Subject: question about anomalies detection

Hai everyone,
sory if my question seems to be dummy question,
but I need several thing to know about anomalies detection for my college
assignment. Below are something to answer(if you don't mind)

1. To train the anomalies detection system, we must train the application
with the normal profile. My question is how we get the normal profile, are
they built by ourself or we try to get from our network dump data to be
set as normal profile or we use the prebuild data on the net(like the data
on the Lincoln Lab Data?)

2. Is there any paper about SPADE(Snort Plugin), I've googling for
sometimes but never found one.

thnkyou, for the attention.
regards

Nafis Faisal


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

question about anomalies detection faisal99 (Sep 01)
- Re: question about anomalies detection Srinivasa Rao Addepalli (Sep 03)
- Re: question about anomalies detection Raj Malhotra (Sep 08)
  - RE: question about anomalies detection Rob Shein (Sep 17)
- Re: question about anomalies detection Jose Maria Lopez (Sep 10)
- <Possible follow-ups>
- Re: question about anomalies detection Omar Herrera (Sep 03)
  - Re: question about anomalies detection Christian Kreibich (Sep 07)