Hosting Provided By

Re: IDS thoughts

From: Lance Spitzner <lance(at)honeynet.org>
Date: Tue May 20 2003 - 21:48:39 EDT

On Tue, 20 May 2003, Ramani Yellapragada wrote:

> > "Anomaly detection" isn't an architecture or implementation. It's no
> > more "rate over time, cross host cross protocol" than it is "validate
> > against RFCs". Anomaly detection is the philosophy of design that says
> > that we can find interesting events by looking for deviations from the
> > norm.

>
> But what are the common approaches to build upon this design idea? Say if we

Keep in mind, there are many different approaches to anamoly detection. For example, honeypots are in many ways nothing more then an anamoly detection device. Theoretically, a honeypot should never see any traffic. Any traffic it does see is a deviation, by definition an anamoly. This is a very simple, yet very effective approach to detecting and capturing activity never seen before.

lance

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Wed May 21 15:32:25 2003

This message: [ Message body ]
Next message: Dick Li (eBits Limited): "Re: Low cost HID based IDS system"
Previous message: Roger A. Grimes: "Re: IDS thoughts"
In reply to Ramani Yellapragada: "Re: IDS thoughts"
Next in thread: Stefano Zanero: "Re: IDS thoughts"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT