Re: anomaly IDS ideas ?

[Simon Biles <simon.biles () gmail com>]

Have a look at the SPADE ( Statistical Packet Anomaly Detection Engine
) project for Snort.

http://www.computersecurityonline.com/spade/

:-)

Si

On 1 Feb 2006 19:41:16 -0000, the_aok () yahoo com <the_aok () yahoo com> wrote:
> hello,
> im a computer science student and i have to do my graduation project
> next
> semester, i want to do it on anomaly IDS's. i have searched the
> internet and
> found little on that subject,here are my ideas on how to implement a
> network
> anomaly IDS,please correct me where im wrong or if u have any other
> references or ideas i would be happy to hear from you:
> the IDS will have 2 stages;first it will study the network traffic and
> build
> some kind of a database that keeps what should be marked as 'safe' and
> after
> collecting enough information it should start running and issue alerts
> when
> anomalies happen(network data will be compared to the database built in
> the
> first stage),this is the data im going to collect:
> 1-information about each hostname,IP address,and MAC address.(i think
> this
> should stop ARP Poisoning attacks by comparing later traffic to the
> database
> of MAC addresses associated with IP addresses)
> 2-ports open on each host and ports that each host connects to.the IDS
> should issue an alert if the host opens a port which wasnt open before
> or
> tries to connect to a new port; with this i think that exploits that
> use
> bind or connectback shellcode should be stopped.
> 3-times each host uses the network and which usernames it uses to
> connect to
> network resources; this should enable the IDS to detect if someone else
> is
> using the computer or using a different username.
>
> this is it :) i know that this is not near enough and that is why im
> sending
> this email, for example if someone uses an upload/exec shellcode in an
> exploit i dont think that the IDS will detect it, or if a trojan
> connects to
> a common port(for example port 80) the IDS won't notice it.
> another thing i want is to minimize false positives,which is an
> important
> thing.the main aim of the IDS will be to stop 0day attacks from
> happening,
> so if anyone has any ideas or any references i would really appreciate
> it.
> thank you,
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


--
Simon Biles
CISSP, OPSA, BS7799 Lead Auditor, MBCS

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------