Re: Kernel Service Profile IDS (request for comments)

[Stefano Zanero <zanero () elet polimi it>]

Steffen Wendzel wrote:
> Hi,
>
> I just want to announce a small paper I wrote about fuzzy user profile IDS
> and kernel side IDS. You can find it here:

So, if this were a real paper submitted to a real conference, my review 
would schematically go as follows:

1) measuring user interaction on the execution of binaries made sense in 
1980. Nowadays with single-user, multipurpose  machines it makes less 
and less sense every day

2) sequences of executed programs are an insufficient data source, as 
demonstrated in various mimicry attack works in past. Google is your friend

3) sequences of executed programs have been beaten to death by a huge 
number of papers, so nothing really new to be done in the area

4) using a feed-forward network for recognizing outliers in that stuff 
is arguably the wrong way to do it

5) you should not reference your own unrefereed work

6) you should not, in particular, reference work as in 5) written in German

7) you don't perform any sort of evaluation of this stuff, at least in 
any language I can understand.

8) what is fuzzy about this thing, except the way it's described ?

You really may wish to reconsider this publication. No, really.

Sorry if this comes as harsh but... yeah, it's harsh.

--
Cordiali saluti,
Stefano Zanero

Politecnico di Milano - Dip. Elettronica e Informazione
Via Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-4017
Fax.    +39 02 2399-3411
E-mail: zanero () elet polimi it
Web:    http://home.dei.polimi.it/zanero/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------