Anomaly Based Network IDS

[Joe Dauncey <secdistlist () dauncey net>]

Hi,

I am interested in views on anomaly-based Network IDS.

A colleague has proposed that we look at using one, but I am not sure how advanced they are? If indeed any exist?

I know that at least Enterasys Dragon NIDS claims to be anomaly based.

I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing the network 
traffic and identifying anomalies on the norm, rather than relying on a specific external signature to tell it what to 
look for.

I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every network 
environemtn, and could potentially generate a lot of false positives.

I'm especially interested in anything that would claim to be able to detect a worm attack (and even prevent it) without 
knowing about it already - i.e. through a signature.

I know that there have been a few Host-based IDS that make this claim, but I'm looking for something that will look 
after a network infrastructure, rather than a subset of specific systems.

Any thoughts or comments?

Thanks,
Joe

-- 

Joe Dauncey

---------------------------------------------------------------------------

---------------------------------------------------------------------------