IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Network Behaviour Anomoly Detection

From: Michael Cunningham <crayola () optonline net>
Date: Wed, 23 Jun 2004 23:31:26 -0400


SPADE would be one example...



Ntop could be used for this...


Spade + Snort is good for looking for anomolous port scans that have been 
randomized.. etc. 

Unfortunatly its not what I am looking for.. ntop can help track 
connections/ports but not provide the AI necessary to spot anmolies in
network
behaviour over time. 

I am really looking for something like Arbor Networks Peakflow X or
Q1 Labs Qradar products. Both of which are pretty pricey in these tight
budget times. 

They are designed to look at network connections between systems, 
what ports are used, how much traffic moves between systems, when all this
occurs, etc.. Essentially they build up a profile of normal activity on your

network over time.. and then if a something weird starts happening like a
database 
starts talking to a system it never spoke to before, or a desktop starts
making connections to hundreds of production systems.. it alerts you
that something might be wrong. It's sorta like Sourcefires RNA product but 
much more focused on the anomaly AI part of looking at the information and 
much less focused on using network intelligence to correlate with ids
events. 

Anyone interested in starting up an opensource project to build something
like this? 
I think it is the perfect complement to a signature based IDS system. It can

detect traffic that looks normal to an IDS system but may actually be
malicious..
Example: a developer runs sql queries against your main production database 
at 3am to steal all the credit cards from it and resell on the Internet. 
An IDS system wouldn't normally say anything about this since it isnt a
defined 
signature event. But a Network Behaviour Anomaly detection system would
alert 
indicating that it is not normal for that developer workstation to be making
a connection to 
a production Oracle server from their desktop at 3am and retrieveing such a
large amount of data. 

Thanks,
Mike




---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: