« Return to Thread: anomaly vs signature
Re: anomaly vs signature
by mykii
::
Rate this Message:
Indeed, categorization can be done between anomaly based vs signature based.
that's a traditional approach, a complementary one is white list (everything
not recognized is not allowed) or black list (i only stop what i know to be
suspicious -signature, protocol anomaly, ...-, the rest is accepted). This
second approach is from our point of view less efficient and much more
resource consuming. I would like to suggest you test (and give your
feedback !) on our beta test product : http://www.binarysec.com which is a
web firewall to be installed on an apache server (with linux), it uses an
artificial intelligence engine. everything is software (1 Apache module + 1
server).
Michael Vergoz
----- Original Message -----
From: "Roland Dobbins" <rdobbins@...>
To: <focus-ids@...>
Sent: Wednesday, August 02, 2006 5:53 PM
Subject: Re: anomaly vs signature
>
> On Jul 31, 2006, at 8:58 PM, SanjayR wrote:
>
>> Please read the first line as "Yes...its true that there are more misuse
>> based ID systems than the anomaly based. "
>> thanks
>> At 11:02 AM 7/28/2006, SanjayR wrote:
>>> Yes...its true that there are more anomaly based ID systems than the
>>> misuse based. One possible reason may be the rate of FPs for anomaly
>>> based systems. If you look at the research perspective, there is a big
>>> gap between the research and commercial ID systems. Reason may be
>>> research is focusing on Machine learning, data mining
>
> I can't agree with this statement - properly-implemented AD systems don't
> exhibit false positives at all, the key is whether or non one - cares-
> about the anomalies one's seeing (and that's where tuning comes in). My
> operational experience with commercial anomaly- detection systems on
> production networks over the last 5 years is that they're extremely
> useful for SP and large enterprise opesec teams in terms of
> detecting/classifying/tracing back DoS attacks, worm outbreaks, and other
> forms of network behaviors which may not be deemed security risks in and
> of themselves, but which are interesting or of possible forensic value
> (i.e., user kicks off large ftp transfer to a server he's never accessed
> before, etc.), and I've never seen a false positive during that time.
>
> There are several commercial AD systems (both statistical and behavioral)
> which are quite good; there's also an open-source project called
> Panoptis, but it's been inactive for a while.
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins@...> // 408.527.6376 voice
>
> Everything has been said. But nobody listens.
>
> -- Roger Shattuck
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
that's a traditional approach, a complementary one is white list (everything
not recognized is not allowed) or black list (i only stop what i know to be
suspicious -signature, protocol anomaly, ...-, the rest is accepted). This
second approach is from our point of view less efficient and much more
resource consuming. I would like to suggest you test (and give your
feedback !) on our beta test product : http://www.binarysec.com which is a
web firewall to be installed on an apache server (with linux), it uses an
artificial intelligence engine. everything is software (1 Apache module + 1
server).
Michael Vergoz
----- Original Message -----
From: "Roland Dobbins" <rdobbins@...>
To: <focus-ids@...>
Sent: Wednesday, August 02, 2006 5:53 PM
Subject: Re: anomaly vs signature
>
> On Jul 31, 2006, at 8:58 PM, SanjayR wrote:
>
>> Please read the first line as "Yes...its true that there are more misuse
>> based ID systems than the anomaly based. "
>> thanks
>> At 11:02 AM 7/28/2006, SanjayR wrote:
>>> Yes...its true that there are more anomaly based ID systems than the
>>> misuse based. One possible reason may be the rate of FPs for anomaly
>>> based systems. If you look at the research perspective, there is a big
>>> gap between the research and commercial ID systems. Reason may be
>>> research is focusing on Machine learning, data mining
>
> I can't agree with this statement - properly-implemented AD systems don't
> exhibit false positives at all, the key is whether or non one - cares-
> about the anomalies one's seeing (and that's where tuning comes in). My
> operational experience with commercial anomaly- detection systems on
> production networks over the last 5 years is that they're extremely
> useful for SP and large enterprise opesec teams in terms of
> detecting/classifying/tracing back DoS attacks, worm outbreaks, and other
> forms of network behaviors which may not be deemed security risks in and
> of themselves, but which are interesting or of possible forensic value
> (i.e., user kicks off large ftp transfer to a server he's never accessed
> before, etc.), and I've never seen a false positive during that time.
>
> There are several commercial AD systems (both statistical and behavioral)
> which are quite good; there's also an open-source project called
> Panoptis, but it's been inactive for a while.
>
> ----------------------------------------------------------------------
> Roland Dobbins <rdobbins@...> // 408.527.6376 voice
>
> Everything has been said. But nobody listens.
>
> -- Roger Shattuck
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
« Return to Thread: anomaly vs signature
| Free embeddable forum powered by Nabble | Forum Help |
