Re: normal behaviour definition

[Nakul Aggarwal <nakula () gmail com>]

Hey Sanjay,
Thanks for repyling. That means one need to have constant monitoring
of the "training set" or transform this "constant monitoring" to a
statistical model for moving out the outliers.

but even some sort anomalies like slow portscans wont be able to
monitored or statistically outlied by this approach on "normal" data?

Even that papers says, we have our own algo's and some of MIT ones for
normal data. but they dont say anthing else :(
Thanks for help though.

Regards
Nakul Aggarwal

On 10/7/05, Sanjay Rawat <sanjayr () intoto com> wrote:
> There are two ways to get normal behavior:
> 1. you make sure that while capturing the data, no attack is being
> launched. this is rather a costly assumption, as you need to ensure a
> closed environment (like DARPA or some other data sets, available on NET).
> 2. It is assumed that normal to abnormal ratio is 100:5 (+-2) ( see the
> work of Eskin, university of Columbia). therefore, if we see this data from
> statistical point of view, abnormal data should be seen as outlier. in
> other words, if you apply some statistical (or other DM/ML) techniques, you
> should be able to filter outliers, thus abnormal traffic.
>
> I hope it will give some insight.
> Sanjay
>
> At 11:41 AM 10/6/2005, Nakul Aggarwal wrote:
> > Hi everyone,
> > I am working on a project of behavioral anomaly detection. In some of
> > the papers I read, authors talk about the difficulty of accurate
> > definition of "normal" behavior but after that they either use
> > standard data sets(MIT ones or KDD) or just say "first normal behavior
> > was learnt and and then evaluations are performed."
> >
> > But how normal behavior was defined/learnt, that no-one tells. Can
> > someone throw some light on this?
> >
> > Thanking You
> > regards
> > Nakul Aggarwal
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ------------------------------------------------------------------------
>
> Sanjay Rawat
> Senior Software Engineer
> INTOTO Software (India) Private Limited
> Uma Plaza, Above HSBC Bank, Nagarjuna Hills
> PunjaGutta,Hyderabad 500082 | India
> Office: + 91 40 23358927/28 Extn 422
> Website : www.intoto.com
>    Homepage: http://sanjay-rawat.tripod.com


--
regards
Nakul Aggarwal

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------