IDS mailing list archives

Re: Specification-based Anomaly Detection

From: Stefano Zanero <zanero () elet polimi it>
Date: Tue, 11 Jan 2005 10:28:31 +0100

Kohlenberg, Toby wrote:

Stefano, could you expand on which part you agree with? I'm really
confused to think that you would agree that anomaly detection would
be new to IDS.


I would agree that:

- anomaly detection is needed as a complementary approach to misusedetection because of the inherent limits of the latter- and that anomaly detection (in particular techniques which are notrate-based) is a relative "newcomer" in the COMMERCIAL field ofintrusion detection, where most of the products are built on a misusedetection approach.

is zero day

Or highly polimorph attacks, yes.

Or custom-written attacks


Absolutely correct !

Really? What about apps that all tunnel over a single port?


That would be a problem even if you work at application layer ;)

Please note that Ofer was not advocating HOST-based intrusion detectionbut NETWORK-based approaches working at layer 7

Are you getting the application that IANA says runs on that port or
are you getting SAP using telnet on some random port or Cisco using
HTTP on yet another random port?


That's something that the algorithm we have developed can recognize ;)

This is basic misuse detection, it does not mean you can deliver anactionable anomaly detection result.
No, but it does give you a much better chance of finding "actionable"
(or ignorable)

Yes, but since we are discussing wether or not ANOMALY detection is"actionable" (I'm not a native speaker but this word sounds horrible tome :) this objection is not relevant. Or better, it says exactly whatTom and I were saying: anomaly detection is not, and this is adisadvantage wrt misuse detection.


Best,
Stefano

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
    - Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
  - Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
  - Re: Specification-based Anomaly Detection Adam Powers (Jan 23)

(Thread continues...)