IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 07 Jan 2005 17:05:52 +0100
Thomas Ptacek wrote:
What makes you think that information about supposed RFC violations on your network will be actionable?
This is an extremely good question: is anomaly detection of any sort trustable enough for intrusion prevention purpose ?
Most people don't find information about supposed malicious traffic to be genuinely actionable.
Or informative. Unless you have a very specific packet trace and a Tom Ptacek-like guy to read it :)
I'm not aware of any evidence, not even anecdotal, of new vulnerabilities being discovered by anomaly detection systems of any stripe.
Here I disagree with Tom. I'd say that anomaly detection systems are not widely deployed in the wild, so we have no data on their ability to strengthen corporate defenses. The only widely tested anomaly detection tools are statistical, rate-base... in which case I certainly agree with Tom.
I also agree with Tom that there's still a long road ahead before having good anomaly detectors. The fact that two people involved in researching (me) and selling (Tom :-))) anomaly-based technologies are so careful in what we think our beloved creations can do, should warn you.
This is not technology ready for prime time.
Replacing signature IDS is not one of those things.
Absolutely, what would be the use ? Best, Stefano Zanero Politecnico di Milano - Dip. Elettronica e Informazione www.elet.polimi.it/upload/zanero -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
(Thread continues...)