IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS thoughts

From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Mon, 26 May 2003 21:03:27 +0200
But what if the anomaly is happening on another never used
 protocol.


If it's been never used on that network, it IS an anomaly by itself. What
you are probably missing is that "anomaly" is not defined "a priori". You
define it on the network segment you are monitoring or to the system you are
monitoring. It MUST adapt.


Are there ways by
 which we can study deviations on general network traffic?


Yes there are - google is your friend ;)


 I feel this is the real problem that needs to be solved. Is there a way

we

 can detect an anomaly regardless of what the protocol is?


It is what we are trying to build here (here = my university lab). It's not
an easy task, and you will probably never get an automatic know-it-all
oracle... but it can be studied and must be studied, cause the misuse
detection approach alone will not work.


Or should we be
 looking only at protocols which are known to contain vulnerablities? How
 could anomaly-based detection help in this case?


You may begin by looking at protocols you know and ensuring they actually
ARE the protocols you know.

Stefano Zanero



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: