Re: IPS comparison

[Frank Knobbe <frank () knobbe us>]

On Thu, 2005-09-08 at 11:06 +0530, Sanjay Rawat wrote:
> the points which you raised are correct, but this is the underline 
> assumption that you have CLEAN attack-free data to train your anomaly IDS. 
> in the example, which you put, you need to ensure that your new host
is not 
> compromised. 

Well of course. I would hope that you can control your environment
enough so that you have an attack-free "window" where you can define, or
let it learn, the profile of "known good" traffic.

> Also, from time to time, you need to update the learning by 
> putting your  IDS in learning/training mode. In fact, such things are main 
> barriers in deploying anomaly based IDS.

I disagree with that. If you retrain your anomaly based IDS on a
periodic bases, you will pollute your "known good" profile. Instead, I'd
suggest you retrain it whenever you made infrastructure changes and have
expected traffic present that deviate from the "normal" profile. Then
the IDS will adjust to the "new normal" traffic flow. 

If you don't make any changes to the environment, I would not retrain
the IDS. So your "from time to time" action should be trigger by known
events (known host/traffic changes) and not blindly on a periodic
basis. 

Cheers,
Frank




-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.

Attachment: signature.asc
Description: This is a digitally signed message part