IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Adam Powers <apowers () lancope com>
Date: Wed, 19 Jan 2005 23:43:11 -0500
I tend to agree that claming something as "ground breaking" or "revolutionary" is irritating beyond all belief. Reminds me of every press release from every technology vendor you'll ever read which almost always starts with "Company X, the *leader* in product sector Y, today announced..." even when they really aren't leading anything. Funny stuff. Anyway, where you and I perhaps diverge is on the topic of actual implementation. Sure, lots of people have "ideas". "Ideas" have been around since the damn of mankind... The real winners are oft those that not only have ideas, but also translate those ideas (or the ideas of others) into working solutions. As anomaly detection technologies go, few (if any) companies have actually delivered on any of these age old "ideas". Those that have (Lancope, Arbor, Q1Labs) perhaps shouldn't claim to be revolutionary but rather dramatically evolutionary. -Adam On 1/18/05 6:21 PM, "Kohlenberg, Toby" <toby.kohlenberg () intel com> wrote:
I don't see it as being fussy, I see it as being a clear and serious gap in the awareness of the history of intrusion detection. Whenever I talk to vendors or researchers (on any topic) I expect them to know at least as much about their product space as I do (I'm a generalist, if I know it, a specialist damn well better). I don't know about anyone else, but I'm sick of seeing ideas that have been around for 20 years touted as "ground breaking!" or "revolutionary!". t-----Original Message----- From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Monday, January 17, 2005 7:47 AM To: Stefano Zanero; Kohlenberg, Toby Cc: Ofer Shezaf; focus-ids () lists securityfocus com Subject: RE: Specification-based Anomaly Detection Don't be so fussy! I agree with Stefano, the big IDS trademarks as Cisco, ISS, NFR, Intrusion or Dragon have just started offering a little bit of real anomaly detection (using AI instead of signatures!), even if we know that network anomaly detection is almost 15 years old in the research comunity (I think the first was NADIR (Network Anomaly Detector and Intrusion Reporter, of Los Alamos National Laboratory in 1990). __________________________________________________ MONDRAGON UNIBERTSITATEA Urko Zurutuza Dpto. Informática Loramendi 4 - Aptdo.23 20500 Arrasate-Modragon Tel. +34 943 739636 // +34 943 794700 Ext.297 www.eps.mondragon.edu uzurutuza () eps mondragon edu-----Mensaje original----- De: Stefano Zanero [mailto:zanero () elet polimi it] Enviado el: jueves, 13 de enero de 2005 21:14 Para: Kohlenberg, Toby CC: Ofer Shezaf; focus-ids () lists securityfocus com Asunto: Re: Specification-based Anomaly Detection Kohlenberg, Toby wrote:- and that anomaly detection (in particular techniqueswhich are notrate-based) is a relative "newcomer" in the COMMERCIAL field of intrusion detection, where most of the products are builton a misusedetection approach.Really? What would you call CMDS? Which was a commercialsystem thatused anomaly detection by building user profiles and was available from ODS in the mid-90s?My omission here: I meant NETWORK intrusion detection, as we were talking about NIDS in those posts. Commercial anomaly detection systems exist. -- Cordiali saluti, Stefano Zanero Dottorando di Ricerca / Ph.D. Student Politecnico di Milano - Dip. Elettronica e Informazione Via Ponzio, 34/5 I-20133 Milano - ITALY Tel. +39 02 2399-3660 Fax. +39 02 2399-3411 E-mail: zanero () elet polimi it Web: www.elet.polimi.it/upload/zanero -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------- --------------------------------------------------------------------------- ----------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------- ------------------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- Adam Powers Senior Security Engineer Advanced Technology Group c. 678.725.1028 o. 770.225.6521 f. 770.225.6501 e. apowers () lancope com AOL IM: adampowers22 StealthWatch by Lancope - Security through network intelligence -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Specification-based Anomaly Detection, (continued)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- Re: Specification-based Anomaly Detection Dragos Ruiu (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 24)
- Re: Specification-based Anomaly Detection Adam Powers (Jan 23)
- RE: Specification-based Anomaly Detection Drew Simonis (Jan 23)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 23)