IDS mailing list archives
RE: Anomaly Based Network IDS
From: "Sasha Romanosky" <sasha_romanosky () yahoo com>
Date: Wed, 23 Jun 2004 19:18:22 -0700
A few comments inline.
I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing the network traffic and identifying anomalies on the norm, rather than relying on a specific external signature to tell it what to look for.
In a nutshell, that's about right, yeah. But there are different kinds of anomaly-based detection systems: - Statistical anomaly: defines a baseline from observed activity and for each new event, determines its mathematical probability of occurrence. - Behavioral anomaly: measures (abnormal) user or application-type events - Flow-based anomaly: observes (abnormal) http or other session patterns - Protocol anomaly (as mentioned): defines an anomaly as a deviation from a prescribed standard of communication (e.g. RFCs)
I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every network environemtn, and could potentially generate a lot of false positives.
Well it probably would vary for each environment, to the extent that each environment is different. The big claim of anomaly detection controls, in general, is that they have very low false positives specifically because of how they work.
I'm especially interested in anything that would claim to be able to detect a worm attack (and even prevent it) without knowing about it already - i.e. through a signature.
Well, that's not really how to think about anomaly detection systems. They won't detect a worm any more than a web server banner, leave that to signature-based systems. The goal is to detect behavior that is "different enough" from a prescribed norm. Where "different enough" could result from dramatically increased (or decreased) traffic, user authentication from an irregular location, or a significant change in user behavior. Now, what is causing that aberrant behavior? Well, that's for you to find out. This is where correlation with a signature-based system comes in, as does a human. This isn't a failing of anomaly detection, just how it works. (Just as signature-based controls can't detect unknown attacks. Thus the reason they are used together.) Hope that helps. Cheers, sasha
I know that there have been a few Host-based IDS that make this claim, but I'm looking for something that will look after a network infrastructure, rather than a subset of specific systems.
Any thoughts or comments? Thanks, Joe Dauncey
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Anomaly Based Network IDS Joe Dauncey (Jun 18)
- RE: Anomaly Based Network IDS Mike Lyman (Jun 21)
- RE: Anomaly Based Network IDS Sasha Romanosky (Jun 24)
- Re: Anomaly Based Network IDS Thomas Ptacek (Jun 25)
- <Possible follow-ups>
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)
- Re: Anomaly Based Network IDS Jose Nazario (Jun 22)
- RE: Anomaly Based Network IDS Shafi, Shahid (Jun 22)
- RE: Anomaly Based Network IDS Joshua Berry (Jun 22)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
(Thread continues...)