RE: Current state of Anomaly-based Intrusion Detection

[<security.feeds () deepzone org>]

Hi Göran,

I would suggest considering the use of honeypots/honeynets/honeytokens as a
practical approach to anomaly detection. It would also be useful as a
complementary system to check against to and an interesting way of managing
the strengths and weaknesses of each other.

Carlos Veira Lorenzo
----------------------------------------------------------
cveira [at] deepzone.org
----------------------------------------------------------
dotpi.com Information Technologies S.L. - www.dotpi.com
DeepZone Digital Security               - www.deepzone.org
----------------------------------------------------------

-----Original Message-----
From: Göran Sandahl [mailto:goran () gsandahl net] 
Sent: sábado, 26 de febrero de 2005 1:05
To: focus-ids () lists securityfocus com
Subject: Current state of Anomaly-based Intrusion Detection

Hi all.

I'm trying to get a picture of the current state of Anomaly-based
network-monitoring-systems. In other words, Anomaly-based IDSs (are they
really called ADSs?). 
After following the thread "Specification-based Anomaly Detection", I've
realised that this question probably has allot of answers. However, I'd be
very glad if you would take the time and write a couple of lines on what you
think of the techniques that are used today, and whats needed for the
future. 
I'm interested in "both sides of the story", so please tense your muscles
and raise your voice ;)

As i figured, there are two different techniques that these systems work
upon. 
Either, they are based on specifications (for example, hardcoded 200kb/s
SMTP-traffic is normal) , or on statistic (Based on an "average". For
example, 20 current TCP-sessions is normal). How does these techniques
really work? How are they implemented today? How is this statistical
information usually gathered? 

Also, signature-based IDSs are vulnerable to false alerts of different kinds
(postitive, negative etc). I can imagine that anomaly-based techniques might
suffer even worse to this. True?

And finally, while "reading through the lines" on some of the posts to the
thread mentioned above, I got a feeling that this technique isn't yet ready
for prime-time yet. Why is this? As I figure, the whole idea with network
intrusion detection is pretty new, and none of the techniques seems to be
without flaws.

Thanks in advance
Cheers
Göran

--
Göran Sandahl
mail:        goran () gsandahl net
web:         http://gsandahl.net

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------