IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Thomas Ptacek <tqbf () arbor net>
Date: Wed, 5 Jan 2005 09:58:59 -0500
A bunch of products do this. Their vendors listen on the list and they'll chime in shortly.
However, ask yourself whether this is really a good idea.What makes you think that information about supposed RFC violations on your network will be actionable? Most people don't find information about supposed malicious traffic to be genuinely actionable. I'm not aware of any evidence, not even anecdotal, of new vulnerabilities being discovered by anomaly detection systems of any stripe.
And I'm saying this while associated with the industry leader in anomaly detection.
There are things anomaly techniques are very well suited for. Worms, policy violations, DoS attacks, and in particular attack mitigation. Replacing signature IDS is not one of those things.
On Jan 3, 2005, at 12:59 PM, Roberto Perdisci wrote:
some techniques, e.g. Finite State Automaton, to find out anomalies during a client-server command/respose session (e.g. FTP, HTTP, SMTP, etc...). The FSA, or conceptually equivalent models, should be implemented following the protocol specifications (RFC) and it would
--- Thomas H. Ptacek // Product Manager, Arbor Networks (734) 327-0000 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
(Thread continues...)