IDS mailing list archives
RE: Specification-based Anomaly Detection
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Fri, 14 Jan 2005 13:32:13 -0800
-----Original Message----- From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] Sent: Thursday, January 13, 2005 6:23 PM To: Kohlenberg, Toby; Stefano Zanero; roberto.perdisci () gmail com Cc: focus-ids () lists securityfocus com Subject: RE: Specification-based Anomaly DetectionWhat exactly is your definition of "new-comer"? Seeing as anomaly detection has been discussed and studied for at least 15 years as far I know...I stand corrected: only meant that commercial applications are relatively new. Signature based IDS is here for the last decade I believe, while I think that anomaly based techniques found their way to products just in the last couple of years.
See other email about CMDS. Knowing about that should be basic reading for anyone working on IDS development or research. Stefano said this was focused on network IDS but I think the distinction is spurious.
I'm not sure I follow the argument about "perpetual zero day". Itsoundslike a problem of poor signature writing. Could you expand a littlemoreon why this is a problem for signature-based approaches as opposed to anomaly-based approaches?It is definitely a problem of poor writing. Unfortunately there are tons of poorly written code out there and more to come.
That doesn't make it a problem with the technology, just the implementation. t -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Specification-based Anomaly Detection, (continued)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- RE: Specification-based Anomaly Detection Drew Simonis (Jan 23)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 23)