Re: question about anomalies detection

[Omar Herrera <oherrera () prodigy net mx>]

Hi Nafis,

> Hai everyone,
> sory if my question seems to be dummy question,
> but I need several thing to know about anomalies detection for my college
> assignment. Below are something to answer(if you don't mind)
>
> 1. To train the anomalies detection system, we must train the application
> with the normal profile. My question is how we get the normal profile, are
> they built by ourself or we try to get from our network dump data to be
> set as normal profile or we use the prebuild data on the net(like the data
> on the Lincoln Lab Data?)

Usually, you set up the tool to gather a sample of the traffic to create tables of
normal traffic and adjust its thresholds. Of course, you should chose the best
time to do this carefully: profiling the traffic during night, with no server 
activity, would result in a bunch of false positives when your servers start 
receiving traffic. This is how this works (in general terms); each product has particular capabilities and there are 
specifics for the fine-tuning of each product.

> 2. Is there any paper about SPADE(Snort Plugin), I've googling for
> sometimes but never found one.

http://www.silicondefense.com/, the website of the plugin, is unreachable (at least for me). You can still find a copy 
of the plugin in the latest snort distribution, inside the contrib directory. The README file in there has a very good 
description of the algorithms involved in SPADE. In essence, SPADE works only at the network level, meaning that it can 
only identify traffic to/from certain IP and ports but it cannot tell you if it is invalid from an application point of 
view (for example, it cannot analyze if the payload of an http packet violates some http protocol specification).

It seems SPADE is no longer maintained (last update I know of is from 2000), but you might still find it useful.

I don’t think anomaly detection systems are well suited for the perimeter with the Internet. Some will differ from this 
opinion based on capabilities of certain products and the environment, but generally speaking, if your traffic is 
diverse at the perimeter (almost any IP, and port from and to your network), you will either find that it spits a lot 
of false positives or that the profile is so relaxed that it doesn’t alert on anything and thus is of no use.

In an internal network they might be more useful. For example, you could easily spot a worm trying to propagate through 
your network.

Hope this helps,

Omar Herrera


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------