Re: Snort with an expert system

[Stefano Zanero <s.zanero () securenetwork it>]

Tomas Olsson wrote:
> Stefan,
> I appreciate your feedback. I am aware that the DARPA dataset is not
> looked upon with favor in the security community, so I can understand
> that that using it is not enough. But, how would I convince you? By
> applying the method on real data and letting a security professional
> tell me if it is performing OK?

Usually, extraordinary claims need extraordinary proof. If there was any
reason to believe that clustering data in the way you describe would
lead to spotting false positives (which, in the case of Snort, would
rather be noncontextual alerts which you do not care about), testing it
over IDEVAL may be sufficient.

Since there is no reason why this should work, you need much more
convincing experiments to show that it actually does. And it's not just
a matter of the dataset, it's also a matter of what you define as a
false positive: in fact, the term "false positive" has a different
meaning for misuse detectors and anomaly detectors.

Best,
Stefano

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194