IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question about anomalies detection

From: Raj Malhotra <ral.mal () gmail com>
Date: Fri, 3 Sep 2004 11:43:24 +0530
Hi


1. To train the anomalies detection system, we must train the application
with the normal profile. My question is how we get the normal profile, are
they built by ourself or we try to get from our network dump data to be
set as normal profile or we use the prebuild data on the net(like the data
on the Lincoln Lab Data?)


You can do all the three. But i would like to do it as follows:
1) assume that traffic on my LAN is clean.
2) set-up a machine running tcpdump with "-w" option to keep logging
    what ever goes on the LAN.
3) use a linux box and run nmap with os finger printing option on some
target machines
    on the same LAN.
4) the tcpdump will have a mixture of normal traffic and scans for OS
finger printing

look for features that are unique to OS fingerprinting (read how nmap
works) and try to use
 k-nearest neighbour for classification.


2. Is there any paper about SPADE(Snort Plugin), I've googling for
sometimes but never found one.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: