IDS mailing list archives
Re: Specification-based Anomaly Detection
From: David Barroso <dbarroso () s21sec com>
Date: Tue, 11 Jan 2005 10:52:43 +0100
* Stefano Zanero (zanero () elet polimi it) wrote: [...]
2. Correlation - another important aspect of application layer attacks is that they are not encapsulated in a single packet. Correlation enables us to both correlated different anomalies to generate more meaningful events and to follow longer term attacks.Yes, but still not automatically - you just give the analyst more material to read ;)
But not the global information from the 'big' attack scenario. By only correlating the packets that go through the network we miss another important source of information: the logs. IMHO, anomaly detection should mix the data taken from the network and the data taken from the logs; combining both events would definitely decrease the amount of false positives, and of course, would help to detect any not-known attack. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
(Thread continues...)