IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Specification-based Anomaly Detection

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Tue, 18 Jan 2005 15:21:11 -0800
I don't see it as being fussy, I see it as being a clear and
serious gap in the awareness of the history of intrusion detection.
Whenever I talk to vendors or researchers (on any topic) I expect
them to know at least as much about their product space as I do
(I'm a generalist, if I know it, a specialist damn well better).

I don't know about anyone else, but I'm sick of seeing ideas that
have been around for 20 years touted as "ground breaking!" or 
"revolutionary!".

t 


-----Original Message-----
From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] 
Sent: Monday, January 17, 2005 7:47 AM
To: Stefano Zanero; Kohlenberg, Toby
Cc: Ofer Shezaf; focus-ids () lists securityfocus com
Subject: RE: Specification-based Anomaly Detection

Don't be so fussy! I agree with Stefano, the big IDS 
trademarks as Cisco, ISS, NFR, Intrusion or Dragon have just 
started offering a little bit of real anomaly detection (using 
AI instead of signatures!), even if we know that network 
anomaly detection is almost 15 years old in the research 
comunity (I think the first was NADIR (Network Anomaly 
Detector and Intrusion Reporter, of Los Alamos National 
Laboratory in 1990).

__________________________________________________
MONDRAGON UNIBERTSITATEA
Urko Zurutuza
Dpto. Informática
Loramendi 4 - Aptdo.23
20500 Arrasate-Modragon
Tel. +34 943 739636 // +34 943 794700 Ext.297
www.eps.mondragon.edu
uzurutuza () eps mondragon edu




-----Mensaje original-----
De: Stefano Zanero [mailto:zanero () elet polimi it] 
Enviado el: jueves, 13 de enero de 2005 21:14
Para: Kohlenberg, Toby
CC: Ofer Shezaf; focus-ids () lists securityfocus com
Asunto: Re: Specification-based Anomaly Detection

Kohlenberg, Toby wrote:


- and that anomaly detection (in particular techniques 

which are not

rate-based) is a relative "newcomer" in the COMMERCIAL field of 
intrusion detection, where most of the products are built 

on a misuse 

detection approach.


Really? What would you call CMDS? Which was a commercial 

system that 

used anomaly detection by building user profiles and was available 
from ODS in the mid-90s?


My omission here: I meant NETWORK intrusion detection, as we 
were talking about NIDS in those posts. Commercial anomaly 
detection systems exist.

--
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione Via 
Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-3660
Fax.    +39 02 2399-3411
E-mail: zanero () elet polimi it
Web:    www.elet.polimi.it/upload/zanero

--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------
------------




---------------------------------------------------------------
-----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
---------------------------------------------------------------
-----------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: