IDS mailing list archives
Re: normal behaviour definition
From: Nakul Aggarwal <nakula () gmail com>
Date: Fri, 7 Oct 2005 20:26:42 +0530
Hey Sanjay, Thanks for repyling. That means one need to have constant monitoring of the "training set" or transform this "constant monitoring" to a statistical model for moving out the outliers. but even some sort anomalies like slow portscans wont be able to monitored or statistically outlied by this approach on "normal" data? Even that papers says, we have our own algo's and some of MIT ones for normal data. but they dont say anthing else :( Thanks for help though. Regards Nakul Aggarwal On 10/7/05, Sanjay Rawat <sanjayr () intoto com> wrote:
There are two ways to get normal behavior: 1. you make sure that while capturing the data, no attack is being launched. this is rather a costly assumption, as you need to ensure a closed environment (like DARPA or some other data sets, available on NET). 2. It is assumed that normal to abnormal ratio is 100:5 (+-2) ( see the work of Eskin, university of Columbia). therefore, if we see this data from statistical point of view, abnormal data should be seen as outlier. in other words, if you apply some statistical (or other DM/ML) techniques, you should be able to filter outliers, thus abnormal traffic. I hope it will give some insight. Sanjay At 11:41 AM 10/6/2005, Nakul Aggarwal wrote:Hi everyone, I am working on a project of behavioral anomaly detection. In some of the papers I read, authors talk about the difficulty of accurate definition of "normal" behavior but after that they either use standard data sets(MIT ones or KDD) or just say "first normal behavior was learnt and and then evaluations are performed." But how normal behavior was defined/learnt, that no-one tells. Can someone throw some light on this? Thanking You regards Nakul Aggarwal ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------Sanjay Rawat Senior Software Engineer INTOTO Software (India) Private Limited Uma Plaza, Above HSBC Bank, Nagarjuna Hills PunjaGutta,Hyderabad 500082 | India Office: + 91 40 23358927/28 Extn 422 Website : www.intoto.com Homepage: http://sanjay-rawat.tripod.com
-- regards Nakul Aggarwal ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- normal behaviour definition Nakul Aggarwal (Oct 06)
- Message not available
- Re: normal behaviour definition Sanjay Rawat (Oct 07)
- Re: normal behaviour definition Nakul Aggarwal (Oct 07)
- Re: normal behaviour definition Sanjay Rawat (Oct 07)
- Message not available