Hosting Provided By

Re: IDS thoughts

From: Thomas H.Ptacek <tqbf(at)pobox.com>
Date: Tue May 20 2003 - 14:46:56 EDT

> space. Sit down and stare at several captures of HTTP transactions.

You're making the assumption that "anomaly detection" means "protocol anomaly detection" (looking for protocol-specific weirdness). The impression I get is that most "protocol anomaly detection" is in fact largely rule-based.

"Anomaly detection", in the IDS context, means "detecting threats by observing things that deviate from a norm". Many types of anomaly detection systems do not use RFC-style rules as a "norm" to validate against.

---
Thomas H. Ptacek // Product Manager @ Arbor Networks
(734) 821-1432


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------

Received on Tue May 20 14:58:02 2003

This message: [ Message body ]
Next message: Mike Frantzen: "Re: IDS thoughts"
In reply to Mike Frantzen: "Re: IDS thoughts"
Next in thread: Mike Frantzen: "Re: IDS thoughts"
Reply: Mike Frantzen: "Re: IDS thoughts"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT