IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Dragos Ruiu <dr () kyx net>
Date: Sun, 23 Jan 2005 16:05:31 -0800
On January 19, 2005 08:43 pm, Adam Powers wrote:
I tend to agree that claming something as "ground breaking" or "revolutionary" is irritating beyond all belief.
Quantuum leaps in the eye of a marketing person are rarely the paradigm shifts (:-) they believe they are. With all deferences to Stefano and his recearch in the area, I haven't seen any of the statistical anomaly methods produce any significant results yet. Most sysadmins don't have much of an idea of what constitutes "normal" traffic patterns on their nets and I have yet to see a formal mechanical model that can do even less than that. That said, imho, the best statistical anomaly detection on the market is still a human brain and a little quality time with tcpdump :). The price is right too :-). Big claims are easy, but I'd like to see the vendors of this kind of stuff back their hyperbole with some case studies outlining significant wins/kills, before I get excited about any of these systems... Once the merit is proven, _then_ we can start to look into the second order stuff like training and noise attacks... cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: Specification-based Anomaly Detection, (continued)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection Drew Simonis (Jan 23)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 23)