IDS mailing list archives

anomaly IDS ideas ?

From: the_aok () yahoo com
Date: 1 Feb 2006 19:41:16 -0000

hello,
im a computer science student and i have to do my graduation project 
next 
semester, i want to do it on anomaly IDS's. i have searched the 
internet and 
found little on that subject,here are my ideas on how to implement a 
network 
anomaly IDS,please correct me where im wrong or if u have any other 
references or ideas i would be happy to hear from you:
the IDS will have 2 stages;first it will study the network traffic and 
build 
some kind of a database that keeps what should be marked as 'safe' and 
after 
collecting enough information it should start running and issue alerts 
when 
anomalies happen(network data will be compared to the database built in 
the 
first stage),this is the data im going to collect:
1-information about each hostname,IP address,and MAC address.(i think 
this 
should stop ARP Poisoning attacks by comparing later traffic to the 
database 
of MAC addresses associated with IP addresses)
2-ports open on each host and ports that each host connects to.the IDS 
should issue an alert if the host opens a port which wasnt open before 
or 
tries to connect to a new port; with this i think that exploits that 
use 
bind or connectback shellcode should be stopped.
3-times each host uses the network and which usernames it uses to 
connect to 
network resources; this should enable the IDS to detect if someone else 
is 
using the computer or using a different username.

this is it :) i know that this is not near enough and that is why im 
sending 
this email, for example if someone uses an upload/exec shellcode in an 
exploit i dont think that the IDS will detect it, or if a trojan 
connects to 
a common port(for example port 80) the IDS won't notice it.
another thing i want is to minimize false positives,which is an 
important 
thing.the main aim of the IDS will be to stop 0day attacks from 
happening, 
so if anyone has any ideas or any references i would really appreciate 
it.
thank you,


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

anomaly IDS ideas ? the_aok (Feb 02)
- Re: anomaly IDS ideas ? Simon Biles (Feb 06)
- Re: anomaly IDS ideas ? Christian G. Charette (Feb 07)
- Re: anomaly IDS ideas ? Stefano Zanero (Feb 07)