Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anomaly detection [was Re: Assessment tools/Scanners]

From: dugsong () monkey org (Dug Song)
Date: Tue, 12 Oct 1999 13:52:39 -0400 (EDT)


On Tue, 12 Oct 1999, Stuart Staniford-Chen wrote:


One comment that caught my eye: you misclassify IDIOT as a system
based on machine learning.  If I recall correctly, IDIOT is basically
a rule based system... the petri-net patterns are all written by a
human, and not inferred from data by the machine...


ach, you're right. it's been a long time since i looked at IDIOT, and i
misremembered it as actually having implemented predictive pattern
generation - but it's much simpler than that.


We only disagree terminologically... It seems useful to distinguish
the "machine learning" type of anomaly detection from the "human
specification" type of anomaly detection.


sure. but they're still both anomaly detection, no? :-)

the terminology in this area can be confusing. i've also seen "equality
matching" used as a synonym for "specification-based" ID, etc.


http://seclab.cs.ucdavis.edu/papers/pdfs/ck-mr-kl-97.pdf


thanks for the reference!

-d.

http://www.monkey.org/~dugsong/
Previous By Date Next
Previous By Thread Next

Current thread: