IDS mailing list archives
Re: Snort with an expert system
From: Tomas Olsson <tol () sics se>
Date: Thu, 25 Jun 2009 13:25:03 +0200
My comments in the text below. Stefano Zanero wrote:
Well, then you do not use snort as an automated intrusion detector but as a generic log monitor. No problem with that, but I would say it is a false positive if the IRC connection is not considered an intrusion."A false positive is an alert that triggers on normal traffic where no intrusion or attack is underway"That's a good definition, but not really complete. Under that definition, if you place a rule that flags IRC connections, and it fires, is that a false positive?
This does not fit with the above definition since the alert must be triggered by the traffic.Is it a false positive a case where there is no rule, or the traffic does not match with the rule, and the engine still fires?
Is it a false positive a case where a rule correctly matches, but the user didn't want to be alerted to that traffic ?
Yes, if there was no attack or intrusion triggering the alert. But, why would the user not want to be alerted if it is a real intrusion?
With respect to using the alerts as input to our algorithm, no of these objections are important. We just use the type of alerts as sensor data that we want to analyze to see when the frequencies of each type of alert diverge from what previously has been observed.
In addition, I don't understand why there would be no reason that this algorithm would work. Could you explain? The algorithm is developed by experts in Bayesian statistics and has been applied in other fields as well.The algorithm type has apparently no relevance to the problem. Why should a false positive be statistically different, in the sense you are considering, from a true positive?
Well, there is nothing that says that there must be any difference between a false and a true alert. However, assume that there are legitimate traffic that triggers false alerts on a regular basis. With our algorithm, we learn to recognize the frequency pattern of these alerts. Later, suddenly there appears malicious traffic triggering true alerts, maybe for a more limited time. Then would not the frequency pattern of the generated alerts change in some way? We can detect that change, but also the collective change of different alert types not shown from a single alert type.
Kind regards Tomas ----------------------------------------------------------------- Securing Your Online Data Transfer with SSL. A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe. http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194
Current thread:
- Re: Re: Snort with an expert system tol (Jun 23)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Joel Esler (Jun 25)
- Re: Snort with an expert system Greg Shipley (Jun 25)
- Re: Snort with an expert system Martin Roesch (Jun 25)
- Re: Snort with an expert system Gary Halleen (Jun 26)
- Re: Snort with an expert system Stefano Zanero (Jun 26)
- Re: Snort with an expert system mhellman (Jun 26)
- Re: Snort with an expert system Martin Roesch (Jun 29)
- Re: Snort with an expert system Tomas Olsson (Jun 30)
- Re: Snort with an expert system Tomas Olsson (Jun 25)
- Re: Snort with an expert system Stefano Zanero (Jun 25)