IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stateful Anomaly Detection Molding

From: "Drew Simonis" <simonis () myself com>
Date: Thu, 14 Oct 2004 08:38:03 -0500



I want to get the groups opinion on the viability of Stateful Anomaly
Detection Molding.



I've not heard the term "Stateful Anomaly Detection" before, but I presume
you are speaking of what I commonly call network profiling, or, more 
precisely, behavior based anomaly detection.  That said...


With regards to IDS/IDP products which use S.A.D. as a detection engine,
how easy/difficult is it to train the engine to allow malicious traffic.
The idea is that these detection engines monitor traffic over a period
of time and develop rule sets based on the given flow of traffic.


This question seems founded on the notion that there is One Way to do this
sort of monitoring, and I don't think that is a true premise.  Most of the
research and actual implementations I've seen simply model a static view
of the network and compare with that over time.  This could not easily be 
"trained" to accept naughty behavior.  Some do use a moving baseline of the 
network, and this could indeed, at least conceptually, be trained.  The
rapidity and effectiveness of the training would likely, however, be based 
on the statistical methods used to construct that baseline, and this is 
not likely to be by one common means.


What can the Blackhats of the world due to perpetuate rule set molding
of Stateful Anomaly Detection engines to allow malicious traffic through
without being detected?  How reliable are S.A.D. engines in detecting
unwanted traffic?


Two big questions.  One would presume that an effective profiling system
would detect even the smallest deviations from the norm, and an alert 
analyst would take action.  So, unless there was some deviation allowance
threshold, the attacker would have little room to maneuver.  Thats really
the whole point of profiling, isn't it?  As to the reliability, this is 
too product specific to discuss generally, I suspect.

-ds

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: