IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 20 Jan 2005 22:05:42 +0100
Kohlenberg, Toby wrote:
Right, I got that. But so long as you aren't encrypting the traffic, I can dissect it. I won't always get the fragmentation right but I can probably figure out the application if I look.
You will. That's my point, actually, you can do anomaly detection without knowing in advance which traffic matches to which app ;)
That's something that the algorithm we have developed can recognize ;)Yes, but not by looking at IP/port pairs. You'll need more detail than that.
You don't need that (it would be too easy ;). You just need the packet payloads, most of times.
-- Cordiali saluti, Stefano Zanero Dottorando di Ricerca / Ph.D. Student Politecnico di Milano - Dip. Elettronica e Informazione Via Ponzio, 34/5 I-20133 Milano - ITALY Tel. +39 02 2399-3660 Fax. +39 02 2399-3411 E-mail: zanero () elet polimi it Web: www.elet.polimi.it/upload/zanero -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: Specification-based Anomaly Detection, (continued)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- RE: Specification-based Anomaly Detection Drew Simonis (Jan 23)