Specification-based Anomaly Detection

[Roberto Perdisci <roberto.perdisci () gmail com>]

Hi all,
does anyone know some IDS/IPS products implementing Protocol Anomaly
Detection at the application level? I mean a product wich implement
some techniques, e.g. Finite State Automaton, to find out anomalies
during a client-server command/respose session (e.g. FTP, HTTP, SMTP,
etc...). The FSA, or conceptually equivalent models, should be
implemented following the protocol specifications (RFC) and it would
be able to monitor the client-server session checking for anomalies
into command/response sequences through monitoring anomaly transitions
between states.
I know Symantec IPS/IDS products implement some of those techniques, is it true?

I'm particularly interested in white papers or (even better)
scientific papers explaining concepts and/or algorithms.

thank you
roberto

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------