IDS mailing list archives

RE: Anomaly Based Network IDS

From: "Shafi, Shahid" <sshafi () qualcomm com>
Date: Fri, 18 Jun 2004 23:53:35 -0700

Hi Drew,

I am myself evaluating Mazu's profiler. Don't you think they should do
more when it comes to packet inspection . I mean deep inspection and
atleast alarm if something is not following published RFCs etc.

Shahid

-----Original Message-----
From: Drew Simonis [mailto:simonis () myself com] 
Sent: Friday, June 18, 2004 10:35 AM
To: Joe Dauncey; focus-ids () securityfocus com
Subject: Re: Anomaly Based Network IDS


----- Original Message ----- 
From: Joe Dauncey 
Date: Fri, 18 Jun 2004 14:09:08 +0100 
To: focus-ids () securityfocus com 
Subject: Anomaly Based Network IDS

Hi, 

I am interested in views on anomaly-based Network IDS. 

... 

I suppose my defintion of anomaly based is that it discovers attacks

based on sampling and analysing

the network traffic and identifying anomalies on the norm, rather than

relying on a specific external

signature to tell it what to look for. 

I'm thinking that this would really have to be incredibly

sophisticated as it's going to vary for every

network environemtn, and could potentially generate a lot of false

positives.


I'm especially interested in anything that would claim to be able to

detect a worm attack (and even

prevent it) without knowing about it already - i.e. through a

signature.


You'll want to look at a couple of things.  First, there are protocol
anomaly IDS, such as Symantec
Manhunt.  These detect deviations from published RFCs and report on
that.  They can detect attacks
absent a signature, but are prone to false positives.  They take some
tuning and decently skilled
analysts.

Second, (and I think what you seem to want) you'll want to look at
profiling systems.  My favorite is
the aptly named "Profiler" by Mazu Networks.  It can, as you ask, detect
worm activity absent any
information, and (a set apart feature from the others in this space,
IMO) has a dynamic baseline.
I use it, and I like it.  

-Ds

------------------------------------------------------------------------
---

------------------------------------------------------------------------
---


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

Anomaly Based Network IDS Joe Dauncey (Jun 18)
- RE: Anomaly Based Network IDS Mike Lyman (Jun 21)
- RE: Anomaly Based Network IDS Sasha Romanosky (Jun 24)
- Re: Anomaly Based Network IDS Thomas Ptacek (Jun 25)
- <Possible follow-ups>
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)
  - Re: Anomaly Based Network IDS Jose Nazario (Jun 22)
- RE: Anomaly Based Network IDS Shafi, Shahid (Jun 22)
- RE: Anomaly Based Network IDS Joshua Berry (Jun 22)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
  - Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
  - Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
  - Re: Anomaly Based Network IDS Ramoni (Jun 24)

(Thread continues...)