IDS (Intrusion Detection System)

 « Return to Thread: anomaly vs signature

Re: anomaly vs signature

by Roland Dobbins :: Rate this Message:

Reply to Author | View in Thread


On Jul 31, 2006, at 8:58 PM, SanjayR wrote:

> Please read the first line as "Yes...its true that there are more  
> misuse based ID systems than the anomaly based. "
> thanks
> At 11:02 AM 7/28/2006, SanjayR wrote:
>> Yes...its true that there are more anomaly based ID systems than  
>> the misuse based. One possible reason may be the rate of FPs for  
>> anomaly based systems. If you look at the research perspective,  
>> there is a big gap between the research and commercial ID systems.  
>> Reason may be research is focusing on Machine learning, data mining

I can't agree with this statement - properly-implemented AD systems  
don't exhibit false positives at all, the key is whether or non one -
cares- about the anomalies one's seeing (and that's where tuning  
comes in).  My operational experience with commercial anomaly-
detection systems on production networks over the last 5 years is  
that they're extremely useful for SP and large enterprise opesec  
teams in terms of detecting/classifying/tracing back DoS attacks,  
worm outbreaks, and other forms of network behaviors which may not be  
deemed security risks in and of themselves, but which are interesting  
or of possible forensic value (i.e., user kicks off large ftp  
transfer to a server he's never accessed before, etc.), and I've  
never seen a false positive during that time.

There are several commercial AD systems (both statistical and  
behavioral) which are quite good; there's also an open-source project  
called Panoptis, but it's been inactive for a while.

----------------------------------------------------------------------
Roland Dobbins <rdobbins@...> // 408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

 « Return to Thread: anomaly vs signature

Free embeddable forum powered by Nabble Forum Help