IDS: Re: anomaly IDS ideas ?

[Stefano Zanero <zanero () elet polimi it>]

the_aok () yahoo com wrote:

> found little on that subject
There are hundreds of paper on that topic, I kindly advise that you
search the usual engines a bit better :)

What you are describing is a general and vague concept of a learning
algorithm which tries to find outliers on network traffic. A nice
concept, but you really should work out the details a bit more :)

> anomalies happen(network data will be compared to the database built in 
> the  first stage),
How ? this is one of the deepest questions in unsupervised learning :)

> 1-information about each hostname,IP address,and MAC address.
This is something any tool for arpspoofing detection already does...

> 2-ports open on each host and ports that each host connects to.the IDS 
> should issue an alert if the host opens a port which wasnt open before 
> or tries to connect to a new port; 
You should check Marcus Ranum ideas on this subject, and also the Arbor
Networks products follow similar patterns.

But this is really "old news" in research terms.

> 3-times each host uses the network and which usernames it uses to 
> connect to 
> network resources; this should enable the IDS to detect if someone else 
> is 
> using the computer or using a different username.
This is not an indication of an attack, actually.

Best regards and good luck,
Stefano Zanero

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------