IDS mailing list archives

Stateful Anomaly Detection Molding

From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Wed, 13 Oct 2004 10:41:45 -0400

I want to get the groups opinion on the viability of Stateful Anomaly
Detection Molding.

With regards to IDS/IDP products which use S.A.D. as a detection engine,
how easy/difficult is it to train the engine to allow malicious traffic.
The idea is that these detection engines monitor traffic over a period
of time and develop rule sets based on the given flow of traffic.

What can the Blackhats of the world due to perpetuate rule set molding
of Stateful Anomaly Detection engines to allow malicious traffic through
without being detected?  How reliable are S.A.D. engines in detecting
unwanted traffic?

Can anyone provide links to related whitepapers, software, etc . . .?

Any and all comments are greatly appreciated.


Kind Regards,

JMB

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Stateful Anomaly Detection Molding Beauford, Jason (Oct 13)
- Re: Stateful Anomaly Detection Molding Thomas Ptacek (Oct 18)
- <Possible follow-ups>
- Re: Stateful Anomaly Detection Molding Drew Simonis (Oct 15)