Re: Snort with an expert system

[Tomas Olsson <tol () sics se>]

So after the precious discussion, I have the following questions:

* Would the following setup be useful (interesting enough to be used)?
       (a) a set of sensors reporting "interesting" events from traffic 
and from hosts (e.g. from NIDS, HIDS, etc.), and then
       (b) we use an anomaly detector to detect unusual patterns in 
these events
       (c) (To make it completely useful, we must contextualize the 
alerts but that is kind of a next step).

* Would a third step be interesting?
      (d) asses the probability that the unusual pattern is an attack 
based on previous classifications

* Richard suggests that a IDS should have been called a "Attack 
Indication System" instead. However, to test such as system, we would 
not still need to be able to see how many real attacks it can detect, so 
it would still be tested as an IDS?


/Tomas

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate 
on your web server, you can securely collect sensitive information online, and increase business by giving your 
customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194