Re: Anamoly based network IDS

[Lance Spitzner <lance () honeynet org>]

On Wed, 26 Mar 2003, vishal p wrote:

> Hi Lau Ker Chea
> To Understand anomaly base -ids , refer to the
> following link
> http://www.securityfocus.com/infocus/1663
> his is the basic article which shows the difference
> between signature 
> base IDS and protocol based IDS
> Anomaly IDS works on the protocol analysis only...
> Symantec MAnhunt is the good example for that..

Another good example of Anamoly Detection are honeypots.
These are systems that have no authorized activity.  Any
connection to (or from) the honeypot is by definition an
anamoly (making them very powerful detection solutions).
In fact, Christian Kreibich has developed Honeycomb, a
plugin for the honeypot Honeyd that not only detect and logs
anamolous activity, but in real time generates IDS 
rules based on the activity (specifically Snort).

  Honeycomb/Honeyd
  http://www.citi.umich.edu/u/provos/honeyd/ch01-results/

lance
http://www.tracking-hackers.com


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71