Re: Snort with an expert system

[Tomas Olsson <tol () sics se>]

Stefano, 

According to this book about Snort 
(http://www.amazon.com/Snort-Toolkit-Beales-Source-Security/dp/1597490997):

"A false positive is an alert that triggers on normal traffic where no 
intrusion or attack is underway"

That is how we used the term in the paper. Is that not how it is used 
with an anomaly detector with respect to the use as an intrusion detector?

In addition, I don't understand why there would be no reason that this 
algorithm would work. Could you explain? The algorithm is developed by 
experts in Bayesian statistics and has been applied in other fields as well.

But I agree, we have to show that this algorithm works with more 
experiments.

If somebody would be willing to let us test the algorithm on real data, 
we would be very happy... :)

/Tomas

Stefano Zanero wrote:
> Usually, extraordinary claims need extraordinary proof. If there was any
> reason to believe that clustering data in the way you describe would
> lead to spotting false positives (which, in the case of Snort, would
> rather be noncontextual alerts which you do not care about), testing it
> over IDEVAL may be sufficient.
>
> Since there is no reason why this should work, you need much more
> convincing experiments to show that it actually does. And it's not just
> a matter of the dataset, it's also a matter of what you define as a
> false positive: in fact, the term "false positive" has a different
> meaning for misuse detectors and anomaly detectors.
>
> Best,
> Stefano
>   


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194