IDS mailing list archives
Re: Current state of Anomaly-based Intrusion Detection
From: Jose Nazario <jose () monkey org>
Date: Mon, 28 Feb 2005 11:35:24 -0500 (EST)
there are several methods that can all be called anomaly detection techniques, you named only a statistical method. statistical based methods: you mentioned hardcoded threshold values (ie 200 MBps) and also learned average values for traffic. its a bit more complicated than that, and more fine grained with respect to services and endpoints, but you get the general idea. basically what you're doing is monitoring traffic rates, either in bulk or per service and/or endpoint, and alerting when some value is overshot, either once or for a sustained period of time. statistical methods rely on a strong baseline of traffic to accurately alert. characterization, such as "it's all TCP SYNs that are responsible for this upsurge in bandwidth usage", can also be performed. the second kind that i'll list here is specification based, and again you mentioned it briefly. this can include protocol specifications (ie "a valid SMTP greeting is no longer than NN bytes long"), such as what is done with some products. traffic is monitored, examined by the application or protocol that is in use, and the data is compared against a specification. if, in this example, an SMTP greeting longer than NN bytes is passed and alert is thrown. this requires detailed understanding of the network protocols and application protocols in use, their standards, and their implementations. not a trivial thing to do. the third kind would be relational, which is what a few companies are doing. in this scenario what you do is you examine inter-host relationships (ie "host A is an SMTP server to hosts B, C and D") and when that relationship is violated (ie "host A is suddenly a web server for host E") an alert is thrown. the fourth kind would be behavioral, where some metric of host or network behaviors is modeled and constantly examined. these behaviors can include an application's file usage, a hosts network usage, or the like. the examine i gave above for a specification based anomaly detection system can be hardcoded, as i discussed, or even learned, using a tool like PI to group the observations. this learning can be unsupervised (ie wholly trusted from the training period's observations) or supervised (where some editing of the observed data is done to ensure trustworthiness). and finally, this learning period can be a one time deal or continuous, allowing for dynamic network behaviors and the normal change over time. in this case, alerting can be done because the model was violated or some statistical confidence measure can come into play, as well (ie 3 observations, std deviation of 10%, but you overshot traffic rates by 12%, would you alert?). is this ready for prime time? sure, it's been in real-world use for years now. arbor networks' peakflow DoS and SP systems have been doing this for several years, using traffic rates over time to detect and characterize attacks. this system is a mix of learned or profiled traffic rates per service and network block endpoint as well as some informed decisions (ie SYN packet rates). and peakflow X is a relational based anomaly detection system that's been seeing real world deployments (see some recent news reports for example customers). i'd say it's been seeing real world deployments and success. arbor networks is one of several companies finding success in this field. AD systems are a significantly more complex and widely available system than you seem to have acknowledged. go digging around and you'll see there are some real systems out there seeing real use, protecting real networks. notes and links: PI: http://www.baselineresearch.net/PI/ ________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/ http://infosecdaily.net/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Current state of Anomaly-based Intrusion Detection Göran Sandahl (Feb 28)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Chris Keladis (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection security.feeds (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Orit Vidas (Mar 09)
- <Possible follow-ups>
- RE: Current state of Anomaly-based Intrusion Detection Andrew Plato (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection SecurIT Informatique Inc. (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 02)
- Re: Current state of Anomaly-based Intrusion Detection Thomas Ptacek (Mar 06)