Re: Specification-based Anomaly Detection

[Stefano Zanero <zanero () elet polimi it>]

Kohlenberg, Toby wrote:

> Right, I got that. But so long as you aren't encrypting the traffic, I
> can dissect it. I won't always get the fragmentation right but I can
> probably figure out the application if I look.

You will. That's my point, actually, you can do anomaly detection 
without knowing in advance which traffic matches to which app ;)

> > That's something that the algorithm we have developed can recognize ;)
>
> Yes, but not by looking at IP/port pairs. You'll need more detail than
> that.

You don't need that (it would be too easy ;). You just need the packet 
payloads, most of times.

--
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione
Via Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-3660
Fax.    +39 02 2399-3411
E-mail: zanero () elet polimi it
Web:    www.elet.polimi.it/upload/zanero

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------