Re: Specification-based Anomaly Detection

[Dragos Ruiu <dr () kyx net>]

On January 19, 2005 08:43 pm, Adam Powers wrote:
> I tend to agree that claming something as "ground breaking" or
> "revolutionary" is irritating beyond all belief. 

Quantuum leaps in the eye of a marketing person are rarely the paradigm
shifts (:-) they believe they are.

With all deferences to Stefano and his recearch in the area, I haven't seen
any of the statistical anomaly methods produce any significant results yet.
Most sysadmins don't have much of an idea of what constitutes "normal"
traffic patterns on their nets and I have yet to see a formal mechanical
model that can do even less than that. That said, imho, the best statistical 
anomaly detection on the market is still a human brain and a little
quality time with tcpdump :). The price is right too :-).

Big claims are easy, but I'd like to see the vendors of this kind of stuff
back their hyperbole with some case studies outlining significant wins/kills,
before I get excited about any of these systems...

Once the merit is proven, _then_ we can start to look into the second
order stuff like training and noise attacks...

cheers,
--dr
-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada       May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------