IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 14 Jan 2005 12:04:34 +0100
Ofer Shezaf wrote:
Stefano writes that a host and a port define a listening application and
Well, it's not me, it's the RFC definition of what a socket is :) "A socket is defined to be the unique identification to or from which information is transmitted in the network. The socket is specified as a 32bit number... A socket is also identified by the host in which the sending or receiving processer is located."
1971 vintage ;)
then you carry on about detecting an application automatically.
Something countless papers have been written on.
In some ways this is more similar to HIDS than to NIDS
I would be tempted to define it as an host-based IDS in fact
more commonly used in IDS that we learn the protocol. As the protocol is defined by the specific programmer at the organization building the web site, learning it and validating that users are in conformance provides a layer of security that I'm not sure should be called abnormal behaviordetection in the common IDS terminology.
That's exactly what anomaly detection is :-)There's an interesting paper by Vigna and Kruegel on the specific theme of web application anomaly detection that you might find worth a read.
Stefano -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: Specification-based Anomaly Detection, (continued)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- RE: Specification-based Anomaly Detection Drew Simonis (Jan 23)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 23)