IDS mailing list archives

Re: IDS thoughts

From: Ramani Yellapragada <ryellapr () masaka cs ohiou edu>
Date: Tue, 20 May 2003 17:53:06 -0400

"Anomaly detection" isn't an architecture or implementation. It's no
more "rate over time, cross host cross protocol" than it is "validate
against RFCs". Anomaly detection is the philosophy of design that says
that we can find interesting events by looking for deviations from the
norm.

 
 But what are the common approaches to build upon this design idea? Say if we
 are looking at anomalies for a protocol. Then we could be looking at certain
 standard protocols(say ssh, smtp etc), learn their norm and look for
 deviations. But what if the anomaly is happening on another never used
 protocol. What if we had not looked at the norm for that protocol? Doesn't
 anomaly detection then boil down to signature-based method? Are there ways by
 which we can study deviations on general network traffic?

The real fallacy here (and I'm not saying it's in your argument) is the
idea that one system is going to address the whole network security
policy --- at least, any time soon. This attitude has some
organizations trying to solve internal security problems by monitoring
for RPC vulnerabilities, while ignoring the innocuous-looking
transactions occurring between a secretary and the CVS server.

  
 I feel this is the real problem that needs to be solved. Is there a way we
 can detect an anomaly regardless of what the protocol is? Or should we be
 looking only at protocols which are known to contain vulnerablities? How
 could anomaly-based detection help in this case?
  
Ramani.
   



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------

Current thread:

IDS thoughts Randy Taylor (May 13)
- Re: IDS thoughts Stephen P. Berry (May 14)
- Re: IDS thoughts Stefano Zanero (May 20)
  - Re: IDS thoughts Mike Frantzen (May 20)
    - Re: IDS thoughts Thomas H . Ptacek (May 20)
    - Re: IDS thoughts Mike Frantzen (May 20)
    - Re: IDS thoughts Thomas H . Ptacek (May 20)
    - Re: IDS thoughts Ramani Yellapragada (May 20)
    - Re: IDS thoughts Lance Spitzner (May 21)
    - Re: IDS thoughts Stefano Zanero (May 27)
    - Re: IDS thoughts Bill Royds (May 21)
    - Re: IDS thoughts Roger A. Grimes (May 21)
    - Re: IDS thoughts Raistlin (May 27)
    - Random IDS Thoughts [WAS: Re: IDS thoughts] Greg Shipley (May 29)
    - Message not available
    - Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (May 30)
- <Possible follow-ups>
- Re: IDS thoughts Andrew Plato (May 20)