IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Specification-based Anomaly Detection

From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 12 Jan 2006 21:23:12 +0100
Dragos Ruiu wrote:


With all deferences to Stefano and his recearch in the area, I haven't seen
any of the statistical anomaly methods produce any significant results yet.


And this is exactly why it's good to do research on this. Thanks for the
mention *bows* :)


Most sysadmins don't have much of an idea of what constitutes "normal"
traffic patterns on their nets and I have yet to see a formal mechanical
model that can do even less than that. 


Well, actually the whole idea of an anomaly detection system is to learn
what is normal so that you don't have to define that. I don't know if
you've attended CanSecWest 04 :) but in my speech I stressed this point
a lot. An anomaly detection system which asks as an input the
description of normality is bound to fail.


That said, imho, the best statistical 
anomaly detection on the market is still a human brain and a little
quality time with tcpdump :). The price is right too :-).


No discussions on this :) But a good anomaly detector would give you an
heads-up on what to monitor. That's the direction of my research, at least.

As for Adam. It's not really true that being a "for profit" company
makes it impossible for you to publish your research (ask IBM for
details). Sure, if your research is just little more than R&D then it's
obviously secret. But since "small scale R&D" is not enough to solve the
problem of anomaly detection, I have to suppose yours is some kind of
breakthrough.

Breakthroughs can be published, they've always been. As a rule, if
there's no research track behind the claims of a vendor, I tend to
highly doubt on any claim of "enormous innovation" in their marketing
brochures.

Regards,
Stefano Zanero

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: