Hosting Provided By

Re: IDS thoughts

From: Stefano Zanero <stefano.zanero(at)ieee.org>
Date: Mon May 26 2003 - 15:03:27 EDT

> But what if the anomaly is happening on another never used
> protocol.

If it's been never used on that network, it IS an anomaly by itself. What you are probably missing is that "anomaly" is not defined "a priori". You define it on the network segment you are monitoring or to the system you are monitoring. It MUST adapt.

> Are there ways by
> which we can study deviations on general network traffic?

Yes there are - google is your friend ;)

> I feel this is the real problem that needs to be solved. Is there a way
we
> can detect an anomaly regardless of what the protocol is?

It is what we are trying to build here (here = my university lab). It's not an easy task, and you will probably never get an automatic know-it-all oracle... but it can be studied and must be studied, cause the misuse detection approach alone will not work.

> Or should we be

Do you need help?

You may begin by looking at protocols you know and ensuring they actually ARE the protocols you know.

Stefano Zanero

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Tue May 27 19:08:15 2003

This message: [ Message body ]
Next message: Raistlin: "Re: IDS thoughts"
Previous message: SecurIT Informatique Inc.: "Three new tools related to IDS, forensics, honeypots"
In reply to Ramani Yellapragada: "Re: IDS thoughts"
Next in thread: Bill Royds: "Re: IDS thoughts"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT