Re: amount of alarms generated by IDS

[nick black <dank () suburbanjihad net>]

On 2004-05-22, Stefano Zanero <stefano.zanero () ieee org> wrote:
> The thing that amazes me is the total lack of detail about how "normal" 
> and "not normal" patterns of usage are defined and detected.
> I can understand that the exact details of the implementation are a 
> trade secret, but being actively involved in research on anomaly 
> detection topics, I'd like to hear some details from vendors on these 
> technologies, at least identifying in general terms the class of 
> algorithms they are using.

Absolutely!  I would argue that a vendor refusing to share some depth
regarding these matters isn't worth buying from, especially given the
prices we're talking about.  For that same reason, we've maintained a
purely open-source underbase throughout development -- trust in the
components essential to our ambitions requires some translucence.

I can't speak for our official, current sales practices (or competitors'
at any time), but I have been called in to discuss methodologies with
several customers.  I'm surprised when this diligence is omitted, not to
say I'm unhappy left alone to merrily code :).

-- 
nick black <dank () reflexsecurity com>
"np:  nondeterministic polynomial-time
the class of dashed hopes and idle dreams." - the complexity zoo


---------------------------------------------------------------------------

---------------------------------------------------------------------------