IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Specification-based Anomaly Detection

From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 07 Jan 2005 17:05:52 +0100
Thomas Ptacek wrote:
What makes you think that information about supposed RFC violations on your network will be actionable?
This is an extremely good question: is anomaly detection of any sort trustable enough for intrusion prevention purpose ?
Most people don't find information about supposed malicious traffic to be genuinely actionable.
Or informative. Unless you have a very specific packet trace and a Tom Ptacek-like guy to read it :)
I'm not aware of any evidence, not even anecdotal, of new vulnerabilities being discovered by anomaly detection systems of any stripe.
Here I disagree with Tom. I'd say that anomaly detection systems are not widely deployed in the wild, so we have no data on their ability to strengthen corporate defenses. The only widely tested anomaly detection tools are statistical, rate-base... in which case I certainly agree with Tom.
I also agree with Tom that there's still a long road ahead before having good anomaly detectors. The fact that two people involved in researching (me) and selling (Tom :-))) anomaly-based technologies are so careful in what we think our beloved creations can do, should warn you. 

This is not technology ready for prime time.


Replacing signature IDS is not one of those things.


Absolutely, what would be the use ?

Best,
Stefano Zanero

Politecnico di Milano - Dip. Elettronica e Informazione
www.elet.polimi.it/upload/zanero

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: