Re: Specification-based Anomaly Detection

[Adam Powers <apowers () lancope com>]

I tend to agree that claming something as "ground breaking" or
"revolutionary" is irritating beyond all belief. Reminds me of every press
release from every technology vendor you'll ever read which almost always
starts with "Company X, the *leader* in product sector Y, today
announced..." even when they really aren't leading anything. Funny stuff.

Anyway, where you and I perhaps diverge is on the topic of actual
implementation. Sure, lots of people have "ideas". "Ideas" have been around
since the damn of mankind... The real winners are oft those that not only
have ideas, but also translate those ideas (or the ideas of others) into
working solutions.

As anomaly detection technologies go, few (if any) companies have actually
delivered on any of these age old "ideas". Those that have (Lancope, Arbor,
Q1Labs) perhaps shouldn't claim to be revolutionary but rather dramatically
evolutionary.

-Adam


On 1/18/05 6:21 PM, "Kohlenberg, Toby" <toby.kohlenberg () intel com> wrote:

> I don't see it as being fussy, I see it as being a clear and
> serious gap in the awareness of the history of intrusion detection.
> Whenever I talk to vendors or researchers (on any topic) I expect
> them to know at least as much about their product space as I do
> (I'm a generalist, if I know it, a specialist damn well better).
>
> I don't know about anyone else, but I'm sick of seeing ideas that
> have been around for 20 years touted as "ground breaking!" or
> "revolutionary!".
>
> t 
>
> > -----Original Message-----
> > From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu]
> > Sent: Monday, January 17, 2005 7:47 AM
> > To: Stefano Zanero; Kohlenberg, Toby
> > Cc: Ofer Shezaf; focus-ids () lists securityfocus com
> > Subject: RE: Specification-based Anomaly Detection
> >
> > Don't be so fussy! I agree with Stefano, the big IDS
> > trademarks as Cisco, ISS, NFR, Intrusion or Dragon have just
> > started offering a little bit of real anomaly detection (using
> > AI instead of signatures!), even if we know that network
> > anomaly detection is almost 15 years old in the research
> > comunity (I think the first was NADIR (Network Anomaly
> > Detector and Intrusion Reporter, of Los Alamos National
> > Laboratory in 1990).
> >
> > __________________________________________________
> > MONDRAGON UNIBERTSITATEA
> > Urko Zurutuza
> > Dpto. Informática
> > Loramendi 4 - Aptdo.23
> > 20500 Arrasate-Modragon
> > Tel. +34 943 739636 // +34 943 794700 Ext.297
> > www.eps.mondragon.edu
> > uzurutuza () eps mondragon edu
> >
> >
> >
> > > -----Mensaje original-----
> > > De: Stefano Zanero [mailto:zanero () elet polimi it]
> > > Enviado el: jueves, 13 de enero de 2005 21:14
> > > Para: Kohlenberg, Toby
> > > CC: Ofer Shezaf; focus-ids () lists securityfocus com
> > > Asunto: Re: Specification-based Anomaly Detection
> > >
> > > Kohlenberg, Toby wrote:
> > >
> > > > > - and that anomaly detection (in particular techniques
> > which are not
> > > > > rate-based) is a relative "newcomer" in the COMMERCIAL field of
> > > > > intrusion detection, where most of the products are built
> > > on a misuse 
> > > > > detection approach.
> > > >
> > > > Really? What would you call CMDS? Which was a commercial
> > > system that 
> > > > used anomaly detection by building user profiles and was available
> > > > from ODS in the mid-90s?
> > >
> > > My omission here: I meant NETWORK intrusion detection, as we
> > > were talking about NIDS in those posts. Commercial anomaly
> > > detection systems exist.
> > >
> > > --
> > > Cordiali saluti,
> > > Stefano Zanero
> > > Dottorando di Ricerca / Ph.D. Student
> > >
> > > Politecnico di Milano - Dip. Elettronica e Informazione Via
> > > Ponzio, 34/5 I-20133 Milano - ITALY
> > > Tel.    +39 02 2399-3660
> > > Fax.    +39 02 2399-3411
> > > E-mail: zanero () elet polimi it
> > > Web:    www.elet.polimi.it/upload/zanero
> > >
> > > --------------------------------------------------------------
> > > ------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world
> > > attacks from CORE IMPACT.
> > > Go to 
> > > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > > to learn more.
> > > --------------------------------------------------------------
> > > ------------
> >
> > ---------------------------------------------------------------
> > -----------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to 
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ---------------------------------------------------------------
> > -----------
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------


-- 

Adam  Powers
Senior Security Engineer
Advanced  Technology Group
c. 678.725.1028
o. 770.225.6521
f. 770.225.6501
e. apowers () lancope com
AOL IM:  adampowers22

StealthWatch by Lancope - Security  through network intelligence



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------