IDS mailing list archives
RE: Current state of Anomaly-based Intrusion Detection
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 01 Mar 2005 22:14:54 -0600
On Mon, 2005-02-28 at 08:56 -0800, Andrew Plato wrote:
This all depends on your definition of an "anomaly" detection engine. I would say that anything that establishes "norms" for protocols or traffic is, in essence, an anomaly detection system.
Howdy Andrew, yeah, an anomaly is the difference between the detected traffic and what is considered "norm". Norm can be any of those that Jose listed: Statistical, spec based, relational, or behavioral. (I'm replying to your email because it summed it up so nicely ;) However, I think a fifth one should be added. When alerting on an "anomaly" that differs from "norm", I prefer to alert on "Knowledge" or "Expectation". That is simply, observing traffic and comparing it to what the administrator/operator of the network knows and expects. Any deviation can be considered an anomaly and is worth reporting. Realistically, that is probably a mix of described relation and described behavior. I say "described" to make clear that it is not "learned" by the IDS itself. It is described by the administrator. As such, it is the admins expectation of data flows that is described to the IDS. The IDS will watch traffic and alert on deviations -- those things that the admin didn't expect. Perhaps profiling it in this light may appear silly to some, but I think it highlights one important fact -- we've been giving the IDS too much authority, especially in self-learning IDSes. The IDS by itself does not know if certain traffic patterns should be there or not, are valid or not, or are hostile or not. I think we have delegated certain decisions away from the admin and to the IDS. This is fine and good for "known bad", but not for "abnormal". If traffic can be classified as "known bad" and "known good", certainly there is also "unknown". It seems that most signature and protocol based IDSes only watch for "known bad". The "unknown" part is detected by most anomaly based systems. But unknown to who? The IDS or the admin? I think leaving the IDS to make assumptions about "unknown" is bad practice. Any "unknown" should be alerted to the admin so that he can follow up and investigate that, and by doing so converts it from "unknown" to "known", either "good" or "bad". That can only be done if the admin defines "normal", not the IDS. Cheers, Frank (not authoritatively or scientifically speaking, but musing about anomaly detection on the couch...)
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Current state of Anomaly-based Intrusion Detection Göran Sandahl (Feb 28)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Chris Keladis (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection security.feeds (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Orit Vidas (Mar 09)
- <Possible follow-ups>
- RE: Current state of Anomaly-based Intrusion Detection Andrew Plato (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection SecurIT Informatique Inc. (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 02)
- Re: Current state of Anomaly-based Intrusion Detection Thomas Ptacek (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 06)