Re: Specification-based Anomaly Detection

[David Barroso <dbarroso () s21sec com>]

* Stefano Zanero (zanero () elet polimi it) wrote:

[...]

> > 2. Correlation - another important aspect of application layer attacks
> > is that they are not encapsulated in a single packet. Correlation
> > enables us to both correlated different anomalies to generate more
> > meaningful events and to follow longer term attacks.
>
> Yes, but still not automatically - you just give the analyst more 
> material to read ;)

But not the global information from the 'big' attack scenario. By only correlating
the packets that go through the network we miss another important source of
information: the logs. IMHO, anomaly detection should mix the data taken from
the network and the data taken from the logs; combining both events would
definitely decrease the amount of false positives, and of course, would help
to detect any not-known attack.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------