IDS mailing list archives

Re: Intrusion Detection Evaluation Datasets

From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 19 Mar 2009 19:47:57 +0100

Stuart Staniford wrote:

The original example was artificial, but the issue is very real.


Stuart, we are deviating from the original issue

A common obfuscation technique in javascript (more common a year or
two ago) is to have something like:

[...]

A simple string matching signature mechanism is useless here (you can
alert on things like "eval(unescape(" and some IDS's do, but you will false
positive like crazy as legitimate pages also use the idiom).


Really, you're pushing on an open door here. My whole research life has
been dedicated to anomaly detection, and I completely agree on simple
pattern matching being useless against such attacks and being far from
complete.

I just didn't agree on the specific example raised by Damiano, as I
don't see it happening anywhere in a real attack. Your example is much
more compelling (and you'll find similar ones in all of my
presentations, as well as Damiano's, I'm sure ;-)

SZ

Current thread:

Re: Intrusion Detection Evaluation Datasets, (continued)
- - - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 16)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 17)
    - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 17)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)

(Thread continues...)