IDS mailing list archives
RE: Specification-based Anomaly Detection
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Thu, 13 Jan 2005 01:11:12 -0800
-----Original Message----- From: Stefano Zanero [mailto:zanero () elet polimi it] Sent: Tuesday, January 11, 2005 1:29 AM To: Kohlenberg, Toby Cc: Ofer Shezaf; focus-ids () lists securityfocus com Subject: Re: Specification-based Anomaly Detection Kohlenberg, Toby wrote:Stefano, could you expand on which part you agree with? I'm really confused to think that you would agree that anomaly detection would be new to IDS.I would agree that: - anomaly detection is needed as a complementary approach to misuse detection because of the inherent limits of the latter
Okay, that makes sense and I think most would agree with it.
- and that anomaly detection (in particular techniques which are not rate-based) is a relative "newcomer" in the COMMERCIAL field of intrusion detection, where most of the products are built on a misuse detection approach.
Really? What would you call CMDS? Which was a commercial system that used anomaly detection by building user profiles and was available from ODS in the mid-90s? Here's the announcement of the 4.0 release from 1999- http://www.intrusion.com/about/news/releases/1999/011999.pdf As I recall, it was originally developed by SAIC in the early 90s I'd say it's been around for quite a while.
Really? What about apps that all tunnel over a single port?That would be a problem even if you work at application layer ;)
Why?
Please note that Ofer was not advocating HOST-based intrusion detection but NETWORK-based approaches working at layer 7
Right, I got that. But so long as you aren't encrypting the traffic, I can dissect it. I won't always get the fragmentation right but I can probably figure out the application if I look.
Are you getting the application that IANA says runs on that port or are you getting SAP using telnet on some random port or Cisco using HTTP on yet another random port?That's something that the algorithm we have developed can recognize ;)
Yes, but not by looking at IP/port pairs. You'll need more detail than that.
No, but it does give you a much better chance of finding "actionable" (or ignorable)Yes, but since we are discussing wether or not ANOMALY detection is "actionable" (I'm not a native speaker but this word sounds horrible to me :) this objection is not relevant. Or better, it says exactly what Tom and I were saying: anomaly detection is not, and this is a disadvantage wrt misuse detection.
(you're right that word is horrible, but I've seen native speakers do worse. I have to work with some of them... :) ) Actually, I'd say that anomaly detection is completely actionable in limited situations where the existance of an anomaly is enough of an issue that it raises a concern. Don't throw the baby out with the bathwater. Anomaly detection has real issues but it is just as useful for taking action as misuse detection when you use it wisely. t
Best, Stefano
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
(Thread continues...)