IDS mailing list archives
RE: Network Behaviour Anomoly Detection
From: Michael Cunningham <crayola () optonline net>
Date: Wed, 23 Jun 2004 23:31:26 -0400
SPADE would be one example...
Ntop could be used for this...
Spade + Snort is good for looking for anomolous port scans that have been randomized.. etc. Unfortunatly its not what I am looking for.. ntop can help track connections/ports but not provide the AI necessary to spot anmolies in network behaviour over time. I am really looking for something like Arbor Networks Peakflow X or Q1 Labs Qradar products. Both of which are pretty pricey in these tight budget times. They are designed to look at network connections between systems, what ports are used, how much traffic moves between systems, when all this occurs, etc.. Essentially they build up a profile of normal activity on your network over time.. and then if a something weird starts happening like a database starts talking to a system it never spoke to before, or a desktop starts making connections to hundreds of production systems.. it alerts you that something might be wrong. It's sorta like Sourcefires RNA product but much more focused on the anomaly AI part of looking at the information and much less focused on using network intelligence to correlate with ids events. Anyone interested in starting up an opensource project to build something like this? I think it is the perfect complement to a signature based IDS system. It can detect traffic that looks normal to an IDS system but may actually be malicious.. Example: a developer runs sql queries against your main production database at 3am to steal all the credit cards from it and resell on the Internet. An IDS system wouldn't normally say anything about this since it isnt a defined signature event. But a Network Behaviour Anomaly detection system would alert indicating that it is not normal for that developer workstation to be making a connection to a production Oracle server from their desktop at 3am and retrieveing such a large amount of data. Thanks, Mike --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Network Behaviour Anomoly Detection Michael Cunningham (Jun 24)
- Re: [Snort-users] RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 25)
- Re: [Snort-users] RE: Network Behaviour Anomoly Detection pieter claassen (Jun 29)
- Re: [Snort-users] RE: Network Behaviour Anomoly Detection Martin Roesch (Jun 25)