IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 12 Jan 2006 21:23:12 +0100
Dragos Ruiu wrote:
With all deferences to Stefano and his recearch in the area, I haven't seen any of the statistical anomaly methods produce any significant results yet.
And this is exactly why it's good to do research on this. Thanks for the mention *bows* :)
Most sysadmins don't have much of an idea of what constitutes "normal" traffic patterns on their nets and I have yet to see a formal mechanical model that can do even less than that.
Well, actually the whole idea of an anomaly detection system is to learn what is normal so that you don't have to define that. I don't know if you've attended CanSecWest 04 :) but in my speech I stressed this point a lot. An anomaly detection system which asks as an input the description of normality is bound to fail.
That said, imho, the best statistical anomaly detection on the market is still a human brain and a little quality time with tcpdump :). The price is right too :-).
No discussions on this :) But a good anomaly detector would give you an heads-up on what to monitor. That's the direction of my research, at least. As for Adam. It's not really true that being a "for profit" company makes it impossible for you to publish your research (ask IBM for details). Sure, if your research is just little more than R&D then it's obviously secret. But since "small scale R&D" is not enough to solve the problem of anomaly detection, I have to suppose yours is some kind of breakthrough. Breakthroughs can be published, they've always been. As a rule, if there's no research track behind the claims of a vendor, I tend to highly doubt on any claim of "enormous innovation" in their marketing brochures. Regards, Stefano Zanero ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 16)