IDS mailing list archives
RE: Current state of Anomaly-based Intrusion Detection
From: "Orit Vidas" <orit () securimine com>
Date: Tue, 8 Mar 2005 11:15:09 -0800
Goran, I would like to refer you to an interesting white paper about 'Baseline Analysis of Security Data'. You can fine it in security docs. In a nutshell, the approach is that anomalies should not be identified at the raw data level, but should be searched for in the security alerts themselves. The reason is two folded: a) the raw data is simply too much to perform non-local analysis, and b) working with the raw data loses all the security context of the incident (signature description, how to and what to do advises, relevant patches, etc.). Orit Vidas orit () securimine com -----Original Message----- From: Göran Sandahl [mailto:goran () gsandahl net] Sent: Friday, February 25, 2005 4:05 PM To: focus-ids () lists securityfocus com Subject: Current state of Anomaly-based Intrusion Detection Hi all. I'm trying to get a picture of the current state of Anomaly-based network-monitoring-systems. In other words, Anomaly-based IDSs (are they really called ADSs?). After following the thread "Specification-based Anomaly Detection", I've realised that this question probably has allot of answers. However, I'd be very glad if you would take the time and write a couple of lines on what you think of the techniques that are used today, and whats needed for the future. I'm interested in "both sides of the story", so please tense your muscles and raise your voice ;) As i figured, there are two different techniques that these systems work upon. Either, they are based on specifications (for example, hardcoded 200kb/s SMTP-traffic is normal) , or on statistic (Based on an "average". For example, 20 current TCP-sessions is normal). How does these techniques really work? How are they implemented today? How is this statistical information usually gathered? Also, signature-based IDSs are vulnerable to false alerts of different kinds (postitive, negative etc). I can imagine that anomaly-based techniques might suffer even worse to this. True? And finally, while "reading through the lines" on some of the posts to the thread mentioned above, I got a feeling that this technique isn't yet ready for prime-time yet. Why is this? As I figure, the whole idea with network intrusion detection is pretty new, and none of the techniques seems to be without flaws. Thanks in advance Cheers Göran -- Göran Sandahl mail: goran () gsandahl net web: http://gsandahl.net ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Current state of Anomaly-based Intrusion Detection Göran Sandahl (Feb 28)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Chris Keladis (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection security.feeds (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Orit Vidas (Mar 09)
- <Possible follow-ups>
- RE: Current state of Anomaly-based Intrusion Detection Andrew Plato (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection SecurIT Informatique Inc. (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 02)
- Re: Current state of Anomaly-based Intrusion Detection Thomas Ptacek (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 06)