RE: Anomaly Based Network IDS

["Sasha Romanosky" <sasha_romanosky () yahoo com>]

A few comments inline.

> I suppose my defintion of anomaly based is that it discovers
> attacks based on sampling and analysing the network traffic 
> and identifying anomalies on the norm, rather than relying on 
> a specific external signature to tell it what to look for.

In a nutshell, that's about right, yeah. But there are different kinds
of anomaly-based detection systems:
- Statistical anomaly: defines a baseline from observed activity and for
each new event, determines its mathematical probability of occurrence.
- Behavioral anomaly: measures (abnormal) user or application-type
events
- Flow-based anomaly: observes (abnormal) http or other session patterns
- Protocol anomaly (as mentioned): defines an anomaly as a deviation
from a prescribed standard of communication (e.g. RFCs)

> I'm thinking that this would really have to be incredibly
> sophisticated as it's going to vary for every network 
> environemtn, and could potentially generate a lot of false positives.

Well it probably would vary for each environment, to the extent that
each environment is different. The big claim of anomaly detection
controls, in general, is that they have very low false positives
specifically because of how they work. 

> I'm especially interested in anything that would claim to be
> able to detect a worm attack (and even prevent it) without 
> knowing about it already - i.e. through a signature.

Well, that's not really how to think about anomaly detection systems.
They won't detect a worm any more than a web server banner, leave that
to signature-based systems. The goal is to detect behavior that is
"different enough" from a prescribed norm. Where "different enough"
could result from dramatically increased (or decreased) traffic, user
authentication from an irregular location, or a significant change in
user behavior. 

Now, what is causing that aberrant behavior? Well, that's for you to
find out. This is where correlation with a signature-based system comes
in, as does a human. This isn't a failing of anomaly detection, just how
it works. (Just as signature-based controls can't detect unknown
attacks. Thus the reason they are used together.)


Hope that helps.

Cheers,
sasha

> I know that there have been a few Host-based IDS that make
> this claim, but I'm looking for something that will look 
> after a network infrastructure, rather than a subset of 
> specific systems.

> Any thoughts or comments?
>
> Thanks,
> Joe Dauncey


---------------------------------------------------------------------------

---------------------------------------------------------------------------