IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Network IPS Proposal (was Definition of Zero Day Protection)

From: Stefano Zanero <zanero () elet polimi it>
Date: Tue, 17 Aug 2004 11:38:13 +0200
Johnny Calhoun wrote:


How do you define "similar pattern"?


In how many books do you want the answer ? :)
how do you know if something is "similar" before it even happens?
This is actually the whole point in using anomaly detection systems, isn't it ?
Anomaly based Intrusion Detection/Prevention is very complex, much more complex than just trapping traffic and predicting similar patterns.
I think that the whole problem - as far as NIPS is concerned - is _exactly_ trapping traffic and understanding similarity in patterns. The problem is to do it, to do it right and to do it with as few false positives as possible. THAT is nontrivial. 

Check my BH presentation:
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-zanero.pdf

--
Regards,
Stefano Zanero
Previous By Date Next
Previous By Thread Next

Current thread: