Re: need your help,thanks

[Charles Heselton <charles.heselton () gmail com>]

On Sun, 22 Aug 2004 13:37:22 +0800, Lily <xiaoche111 () hotmail com> wrote:
> hi,all
>    I am a youngling in IDS.I read some papers in network this days and the more I read the little I 
> understand.Because there are so many researching area in IDS and I dont know what I'll do.There are some questions 
> below:

Keep reading.  ;)

>    1.If the false alarm rates have being resloved now?I think its a essential premise of the area of "response 
> mechanism of IDS" that I want to research,do you think so?

False alarms depend upon the accuracy of your signatures, and the
peculiarity of your traffic.  If the traffic in your environment is
out of RFC standard, but is considered "normal" for your environment,
it could produce a lot of false positives, especially with an anomaly
based IDS.  I think that this is something that IDS will always have
to deal with.  You can never have *perfect* detection.

>    2.Has someone firsthand used a data mining tool just like C5 to reduce some data and make a conclusion about 
> anomaly detection?Do you think it is advisable?
>    Could you please help me?Thank you in advance.

I haven't used C5, but my organization has attempted to use an Oracle
database for such a purpose.  There are products out there which are
supposed to do this sort of correlation for you.  I know of Symantec's
CyberWolf, and I've been told (:-?) that NetIQ does this sort of
thing, though I have yet to see it.  I'm sure there are others as
well.  Anyhow, the key to making a database type situation work is
being able to rule out possibly anomalous traffic based on historical
data.  Then feed this info back into the IDS.  I'm not familiar with
any IDS that has this capability (yet).


> Regards
>
> Lily


-- 
Charlie Heselton
Network Security Engineer