IDS mailing list archives
Re: anomaly IDS ideas ?
From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 03 Feb 2006 21:39:38 +0100
the_aok () yahoo com wrote:
found little on that subject
There are hundreds of paper on that topic, I kindly advise that you search the usual engines a bit better :) What you are describing is a general and vague concept of a learning algorithm which tries to find outliers on network traffic. A nice concept, but you really should work out the details a bit more :)
anomalies happen(network data will be compared to the database built in the first stage),
How ? this is one of the deepest questions in unsupervised learning :)
1-information about each hostname,IP address,and MAC address.
This is something any tool for arpspoofing detection already does...
2-ports open on each host and ports that each host connects to.the IDS should issue an alert if the host opens a port which wasnt open before or tries to connect to a new port;
You should check Marcus Ranum ideas on this subject, and also the Arbor Networks products follow similar patterns. But this is really "old news" in research terms.
3-times each host uses the network and which usernames it uses to connect to network resources; this should enable the IDS to detect if someone else is using the computer or using a different username.
This is not an indication of an attack, actually. Best regards and good luck, Stefano Zanero ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- anomaly IDS ideas ? the_aok (Feb 02)
- Re: anomaly IDS ideas ? Simon Biles (Feb 06)
- Re: anomaly IDS ideas ? Christian G. Charette (Feb 07)
- Re: anomaly IDS ideas ? Stefano Zanero (Feb 07)