RE: How do behavioral/anomaly detection systems learn?

["Mariusz Burdach" <M_Burdach () compfort pl>]

Hi,

Anomaly detection can be performed by security tools on the following
layers in the TCP/IP model (internet, transport and application).
I suggest to look closer at Spade - this is the snort plugin added now
to every version of Snort. Spade is developed by Silicon Defense (so
some of information can be found here: www.silicondefense.com - also
look at references in Spade documentation) . Spade is a Statistical
Packet Anomaly Detection Engine with Bayesian probabilistic applied .
Bayesian networks are used to learn a long-term profile of normal
activities in a network system and to detect deviations of the observed
activities from the norm profile.
The other kind of anomaly detection is applied to Symantec ManHunt.
- anomaly on network/transport layers (detection of packet fragmentation
(IP and TCP packets), detection of DoS attacks - by counting SYN packets
and SYN/ACK packets, etc)
- anomaly on application layer (detection of incorrect use of particular
protocol - let's say that an intruder connects to web server and
generate the following request: 
$ telnet web_server 80
GET /  <-----this request is incomplete. 
So the system will detect it as anomaly - because this request is not
correct against HTTP specification described in RFC. 
Of course someone can say, that this is not anomaly because IDS has
implemented RFC rules. 

The other example of anomaly detection on application layer is behavior
of users. We know that the users usually log in to the server from
workstations from certain domain in known hours (8 a.m - 4 p.m.). If the
user log in to the server from the other domain or at night - this is
anomaly - and we should look closer at this kind of events.

I also suggest to look at Reading Room on SANS portal and articles
published by Security Focus.

Regards,

Mariusz Burdach

-----Original Message-----
From: Sasha Romanosky [mailto:sasha_romanosky () yahoo com]
Sent: Thursday, February 05, 2004 7:18 AM
To: focus-ids () securityfocus com
Subject: How do behavioral/anomaly detection systems learn?



Greetings, 

In regards to "behavioral" or "anomaly" detection systems vs. pure
signature-based detection systems, I'm trying to understand how these
behavioral technologies differentiate "good" traffic from "bad" traffic.
I don't want to get into which is better, because they both have their
place, of course. What I'm trying to understand is how these behavioral
systems work, or "learn". 

I have seen that this technique is not unique to intrusion detection
systems, but also appears in application firewalls (e.g. Teros) and
email virus scanners (e.g. using bayesian filtering). 

With some products, I see that you configure them with specific rules,
tailored to your particular environment, and with other products, you
just point it to the network and it creates a profile all by itself. 

Does this simply amount to another form of signature system, just with
more intelligent signatures? Or is it more complex than this?.

Any references (whitepapers, archives, sites, etc) explaining this
learning would be most appreciated.


Cheers,
Sasha Romanosky


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------