IDS mailing list archives
Re: Stateful Anomaly Detection Molding
From: "Drew Simonis" <simonis () myself com>
Date: Thu, 14 Oct 2004 08:38:03 -0500
I want to get the groups opinion on the viability of Stateful Anomaly Detection Molding.
I've not heard the term "Stateful Anomaly Detection" before, but I presume you are speaking of what I commonly call network profiling, or, more precisely, behavior based anomaly detection. That said...
With regards to IDS/IDP products which use S.A.D. as a detection engine, how easy/difficult is it to train the engine to allow malicious traffic. The idea is that these detection engines monitor traffic over a period of time and develop rule sets based on the given flow of traffic.
This question seems founded on the notion that there is One Way to do this sort of monitoring, and I don't think that is a true premise. Most of the research and actual implementations I've seen simply model a static view of the network and compare with that over time. This could not easily be "trained" to accept naughty behavior. Some do use a moving baseline of the network, and this could indeed, at least conceptually, be trained. The rapidity and effectiveness of the training would likely, however, be based on the statistical methods used to construct that baseline, and this is not likely to be by one common means.
What can the Blackhats of the world due to perpetuate rule set molding of Stateful Anomaly Detection engines to allow malicious traffic through without being detected? How reliable are S.A.D. engines in detecting unwanted traffic?
Two big questions. One would presume that an effective profiling system would detect even the smallest deviations from the norm, and an alert analyst would take action. So, unless there was some deviation allowance threshold, the attacker would have little room to maneuver. Thats really the whole point of profiling, isn't it? As to the reliability, this is too product specific to discuss generally, I suspect. -ds -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Stateful Anomaly Detection Molding Beauford, Jason (Oct 13)
- Re: Stateful Anomaly Detection Molding Thomas Ptacek (Oct 18)
- <Possible follow-ups>
- Re: Stateful Anomaly Detection Molding Drew Simonis (Oct 15)