RE: Anomaly Based Network IDS

["Joshua Berry" <jberry () PENSON COM>]

I think anomaly based engines are good when used in combination with
other security information such as signature based events.  Dragon is
not anomaly based, it is signature based with the capability of
detecting some protocol anomalies.

-----Original Message-----
From: Joe Dauncey [mailto:secdistlist () dauncey net] 
Sent: Friday, June 18, 2004 8:09 AM
To: focus-ids () securityfocus com
Subject: Anomaly Based Network IDS

Hi,

I am interested in views on anomaly-based Network IDS.

A colleague has proposed that we look at using one, but I am not sure
how advanced they are? If indeed any exist?

I know that at least Enterasys Dragon NIDS claims to be anomaly based.

I suppose my defintion of anomaly based is that it discovers attacks
based on sampling and analysing the network traffic and identifying
anomalies on the norm, rather than relying on a specific external
signature to tell it what to look for.

I'm thinking that this would really have to be incredibly sophisticated
as it's going to vary for every network environemtn, and could
potentially generate a lot of false positives.

I'm especially interested in anything that would claim to be able to
detect a worm attack (and even prevent it) without knowing about it
already - i.e. through a signature.

I know that there have been a few Host-based IDS that make this claim,
but I'm looking for something that will look after a network
infrastructure, rather than a subset of specific systems.

Any thoughts or comments?

Thanks,
Joe

-- 

Joe Dauncey

------------------------------------------------------------------------
---

------------------------------------------------------------------------
---


---------------------------------------------------------------------------

---------------------------------------------------------------------------