IDS mailing list archives

RE: Specification-based Anomaly Detection

From: "(infor) urko zurutuza" <uzurutuza () eps mondragon edu>
Date: Mon, 17 Jan 2005 16:47:29 +0100

Don't be so fussy! I agree with Stefano, the big IDS trademarks as Cisco, ISS, NFR, Intrusion or Dragon have just 
started offering a little bit of real anomaly detection (using AI instead of signatures!), even if we know that network 
anomaly detection is almost 15 years old in the research comunity (I think the first was NADIR (Network Anomaly 
Detector and Intrusion Reporter, of Los Alamos National Laboratory in 1990).

__________________________________________________
MONDRAGON UNIBERTSITATEA
Urko Zurutuza
Dpto. Informática
Loramendi 4 - Aptdo.23
20500 Arrasate-Modragon
Tel. +34 943 739636 // +34 943 794700 Ext.297
www.eps.mondragon.edu
uzurutuza () eps mondragon edu

-----Mensaje original-----
De: Stefano Zanero [mailto:zanero () elet polimi it] 
Enviado el: jueves, 13 de enero de 2005 21:14
Para: Kohlenberg, Toby
CC: Ofer Shezaf; focus-ids () lists securityfocus com
Asunto: Re: Specification-based Anomaly Detection

Kohlenberg, Toby wrote:

- and that anomaly detection (in particular techniques which are not
rate-based) is a relative "newcomer" in the COMMERCIAL field of 
intrusion detection, where most of the products are built

on a misuse

detection approach.


Really? What would you call CMDS? Which was a commercial

system that

used anomaly detection by building user profiles and was available 
from ODS in the mid-90s?


My omission here: I meant NETWORK intrusion detection, as we 
were talking about NIDS in those posts. Commercial anomaly 
detection systems exist.

--
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione Via 
Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-3660
Fax.    +39 02 2399-3411
E-mail: zanero () elet polimi it
Web:    www.elet.polimi.it/upload/zanero

--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------
------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Current thread:

RE: Specification-based Anomaly Detection, (continued)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
  - Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
    - Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
    - Re: Specification-based Anomaly Detection Adam Powers (Jan 24)
- RE: Specification-based Anomaly Detection Drew Simonis (Jan 23)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 23)