the_aok_at_yahoo.com wrote:
> found little on that subject
There are hundreds of paper on that topic, I kindly advise that you
search the usual engines a bit better :)
What you are describing is a general and vague concept of a learning
algorithm which tries to find outliers on network traffic. A nice
concept, but you really should work out the details a bit more :)
> anomalies happen(network data will be compared to the database built in
> the first stage),
How ? this is one of the deepest questions in unsupervised learning :)
> 1-information about each hostname,IP address,and MAC address.
This is something any tool for arpspoofing detection already does...
> 2-ports open on each host and ports that each host connects to.the IDS
> should issue an alert if the host opens a port which wasnt open before
> or tries to connect to a new port;
You should check Marcus Ranum ideas on this subject, and also the Arbor
Networks products follow similar patterns.
But this is really "old news" in research terms.
> 3-times each host uses the network and which usernames it uses to
> connect to
> network resources; this should enable the IDS to detect if someone else
> is
> using the computer or using a different username.
This is not an indication of an attack, actually.
Best regards and good luck,
Stefano Zanero
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Feb 07 2006
Intro
