IDS mailing list archives
Anomaly Based Network IDS
From: Joe Dauncey <secdistlist () dauncey net>
Date: Fri, 18 Jun 2004 14:09:08 +0100
Hi, I am interested in views on anomaly-based Network IDS. A colleague has proposed that we look at using one, but I am not sure how advanced they are? If indeed any exist? I know that at least Enterasys Dragon NIDS claims to be anomaly based. I suppose my defintion of anomaly based is that it discovers attacks based on sampling and analysing the network traffic and identifying anomalies on the norm, rather than relying on a specific external signature to tell it what to look for. I'm thinking that this would really have to be incredibly sophisticated as it's going to vary for every network environemtn, and could potentially generate a lot of false positives. I'm especially interested in anything that would claim to be able to detect a worm attack (and even prevent it) without knowing about it already - i.e. through a signature. I know that there have been a few Host-based IDS that make this claim, but I'm looking for something that will look after a network infrastructure, rather than a subset of specific systems. Any thoughts or comments? Thanks, Joe -- Joe Dauncey --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Anomaly Based Network IDS Joe Dauncey (Jun 18)
- RE: Anomaly Based Network IDS Mike Lyman (Jun 21)
- RE: Anomaly Based Network IDS Sasha Romanosky (Jun 24)
- Re: Anomaly Based Network IDS Thomas Ptacek (Jun 25)
- <Possible follow-ups>
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)
- Re: Anomaly Based Network IDS Jose Nazario (Jun 22)
- RE: Anomaly Based Network IDS Shafi, Shahid (Jun 22)
- RE: Anomaly Based Network IDS Joshua Berry (Jun 22)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
(Thread continues...)