IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Specification-based Anomaly Detection

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Fri, 14 Jan 2005 13:32:13 -0800
 


-----Original Message-----
From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] 
Sent: Thursday, January 13, 2005 6:23 PM
To: Kohlenberg, Toby; Stefano Zanero; roberto.perdisci () gmail com
Cc: focus-ids () lists securityfocus com
Subject: RE: Specification-based Anomaly Detection



What exactly is your definition of "new-comer"? Seeing as anomaly
detection
has been discussed and studied for at least 15 years as far I know...


I stand corrected: only meant that commercial applications are
relatively new. Signature based IDS is here for the last decade I
believe, while I think that anomaly based techniques found their way to
products just in the last couple of years.


See other email about CMDS. Knowing about that should be basic reading
for anyone working on IDS development or research. Stefano said this
was focused on network IDS but I think the distinction is spurious.



I'm not sure I follow the argument about "perpetual zero day". It

sounds

like a problem of poor signature writing. Could you expand a little

more

on why this is a problem for signature-based approaches as opposed to
anomaly-based approaches?


It is definitely a problem of poor writing. Unfortunately 
there are tons
of poorly written code out there and more to come.


That doesn't make it a problem with the technology, just the
implementation.

t

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: