IDS mailing list archives
Re: IDS thoughts
From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Mon, 26 May 2003 21:03:27 +0200
But what if the anomaly is happening on another never used protocol.
If it's been never used on that network, it IS an anomaly by itself. What you are probably missing is that "anomaly" is not defined "a priori". You define it on the network segment you are monitoring or to the system you are monitoring. It MUST adapt.
Are there ways by which we can study deviations on general network traffic?
Yes there are - google is your friend ;)
I feel this is the real problem that needs to be solved. Is there a way
we
can detect an anomaly regardless of what the protocol is?
It is what we are trying to build here (here = my university lab). It's not an easy task, and you will probably never get an automatic know-it-all oracle... but it can be studied and must be studied, cause the misuse detection approach alone will not work.
Or should we be looking only at protocols which are known to contain vulnerablities? How could anomaly-based detection help in this case?
You may begin by looking at protocols you know and ensuring they actually ARE the protocols you know. Stefano Zanero ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- IDS thoughts Randy Taylor (May 13)
- Re: IDS thoughts Stephen P. Berry (May 14)
- Re: IDS thoughts Stefano Zanero (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Ramani Yellapragada (May 20)
- Re: IDS thoughts Lance Spitzner (May 21)
- Re: IDS thoughts Stefano Zanero (May 27)
- Re: IDS thoughts Bill Royds (May 21)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Roger A. Grimes (May 21)
- Re: IDS thoughts Raistlin (May 27)
- Random IDS Thoughts [WAS: Re: IDS thoughts] Greg Shipley (May 29)
- Message not available
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (May 30)
- <Possible follow-ups>
- Re: IDS thoughts Andrew Plato (May 20)