IDS mailing list archives
Re: IPS comparison
From: Stefano Zanero <s.zanero () securenetwork it>
Date: Tue, 30 Aug 2005 09:58:32 +0200
Sanjay Rawat wrote:
Hi Stefano: I got confused over one comment made by you: "First hint of the day: if there is a regexp there, it's NOT anomaly detection." why it is so? I can use association or frequent episode rules to capture normal behavior (you know this), and I can use regexp to represent such rules.
Let me rephrase my comment then: "If there is a GIVEN SET of regexp there, it's not anomaly detection" If you create an induction algorithm for GENERATING a set of rules describing normal behavior, you are creating an anomaly detection system; if you instead give your customer a predefined set of rules to match his traffic against, you cannot be far away from simple "protocol anomaly detection" systems. Best, Stefano Zanero --------------------------- Secure Network S.r.l. www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IPS Comparison Stefano Zanero (Aug 27)
- <Possible follow-ups>
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 30)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Ron Gula (Aug 30)
- Re: IPS comparison Adam Powers (Aug 31)
- Re: IPS comparison Mike Poor (Aug 30)
- Re: IPS comparison Ron Gula (Aug 30)
- RE: IPS comparison Joseph Hamm (Aug 30)
- RE: IPS comparison Seek Knowledge (Aug 31)
- RE: IPS comparison Joseph Hamm (Aug 30)
- Message not available
- RE: IPS comparison Ron Gula (Aug 31)
- Message not available