IDS mailing list archives

Re: normal behaviour definition

From: Sanjay Rawat <sanjayr () intoto com>
Date: Fri, 07 Oct 2005 11:30:24 +0530

There are two ways to get normal behavior:

1. you make sure that while capturing the data, no attack is beinglaunched. this is rather a costly assumption, as you need to ensure aclosed environment (like DARPA or some other data sets, available on NET).2. It is assumed that normal to abnormal ratio is 100:5 (+-2) ( see thework of Eskin, university of Columbia). therefore, if we see this data fromstatistical point of view, abnormal data should be seen as outlier. inother words, if you apply some statistical (or other DM/ML) techniques, youshould be able to filter outliers, thus abnormal traffic.


I hope it will give some insight.
Sanjay

At 11:41 AM 10/6/2005, Nakul Aggarwal wrote:

Hi everyone,
I am working on a project of behavioral anomaly detection. In some of
the papers I read, authors talk about the difficulty of accurate
definition of "normal" behavior but after that they either use
standard data sets(MIT ones or KDD) or just say "first normal behavior
was learnt and and then evaluations are performed."

But how normal behavior was defined/learnt, that no-one tells. Can
someone throw some light on this?

Thanking You
regards
Nakul Aggarwal

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

------------------------------------------------------------------------

Current thread:

normal behaviour definition Nakul Aggarwal (Oct 06)
- Message not available
  - Re: normal behaviour definition Sanjay Rawat (Oct 07)
    - Re: normal behaviour definition Nakul Aggarwal (Oct 07)