IDS mailing list archives

Re: IPS comparison

From: Stefano Zanero <s.zanero () securenetwork it>
Date: Tue, 30 Aug 2005 09:58:32 +0200

Sanjay Rawat wrote:

Hi Stefano:
I got confused over one comment made by you: "First hint of the day: if
there is a regexp there, it's NOT anomaly
detection." why it is so? I can use association or frequent episode
rules to capture normal behavior (you know this), and I can use regexp
to represent such rules.


Let me rephrase my comment then:

"If there is a GIVEN SET of regexp there, it's not anomaly detection"

If you create an induction algorithm for GENERATING a set of rules
describing normal behavior, you are creating an anomaly detection
system; if you instead give your customer a predefined set of rules to
match his traffic against, you cannot be far away from simple "protocol
anomaly detection" systems.

Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: IPS Comparison Stefano Zanero (Aug 27)
- <Possible follow-ups>
- Re: IPS comparison Stefano Zanero (Aug 29)
  - Re: IPS comparison Sanjay Rawat (Aug 30)
    - Re: IPS comparison Stefano Zanero (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 29)
  - Re: IPS comparison Ron Gula (Aug 30)
    - Re: IPS comparison Adam Powers (Aug 31)
  - Re: IPS comparison Mike Poor (Aug 30)
- RE: IPS comparison Joseph Hamm (Aug 30)
  - RE: IPS comparison Seek Knowledge (Aug 31)
- RE: IPS comparison Joseph Hamm (Aug 30)
  - Message not available
    - RE: IPS comparison Ron Gula (Aug 31)