IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Specification-based Anomaly Detection

From: Thomas Ptacek <tqbf () arbor net>
Date: Wed, 5 Jan 2005 09:58:59 -0500
A bunch of products do this. Their vendors listen on the list and they'll chime in shortly. 

However, ask yourself whether this is really a good idea.
What makes you think that information about supposed RFC violations on your network will be actionable? Most people don't find information about supposed malicious traffic to be genuinely actionable. I'm not aware of any evidence, not even anecdotal, of new vulnerabilities being discovered by anomaly detection systems of any stripe.
And I'm saying this while associated with the industry leader in anomaly detection.
There are things anomaly techniques are very well suited for. Worms, policy violations, DoS attacks, and in particular attack mitigation. Replacing signature IDS is not one of those things. 

On Jan 3, 2005, at 12:59 PM, Roberto Perdisci wrote:


some techniques, e.g. Finite State Automaton, to find out anomalies
during a client-server command/respose session (e.g. FTP, HTTP, SMTP,
etc...). The FSA, or conceptually equivalent models, should be
implemented following the protocol specifications (RFC) and it would


---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: