Intrusion Detection Systems mailing list archives

Re: Anomaly detection [was Re: Assessment tools/Scanners]

From: stuart () SiliconDefense com (Stuart Staniford-Chen)
Date: Tue, 12 Oct 1999 10:19:32 -0700




Dug Song wrote:


On Mon, 11 Oct 1999, Stuart Staniford-Chen wrote:

I'm not sure that anomaly detection is all that great an idea to install on
an end-system for practical real-world intrusion detection.

A statistical anomaly detection system (which I assume is what you're talking
about)


shouldn't assume. :-)


Well, at least I made my assumption explicit :-)

 i was referring to anomaly detection as 'grep -v',

as opposed to grep.

re: the rest of what you said, see the previously posted-here:

        http://www.monkey.org/~dugsong/talks/ids/


I looked.  One comment that caught my eye: you misclassify IDIOT as a system
based on machine learning.  If I recall correctly, IDIOT is basically a rule
based system.  It uses colored Petri nets as the basis for implementing the
rules.  Mostly, they are misuse type rules but there are some
normal-specification type rules.  But anyway, the petri-net patterns are all
written by a human, and not inferred from data by the machine (as in a
machine learning approach).

i don't consider 'specification-based ID' to be anything more than anomaly
detection at its very simplest, and i'd appreciate any references you
might have indicating otherwise (i've never seen the work you mention by
Calvin Ko @ UC Davis, for instance)?


We only disagree terminologically.  I was using "specification-based
detection" for situations where a human specified what was normal and what
wasn't, and "anomaly detection" for situations where the computer figured it
out for itself by looking at examples of normal traffic.  I agree with you
that "grep -v" might sometimes be sensible to deploy :-).  It seems useful to
distinguish the "machine learning" type of anomaly detection from the "human
specification" type of anomaly detection.

Ko's work can be found in, for example,

C. Ko, M. Ruschitzka, and K. Levitt, "Execution Monitoring of
Security-critical Programs in Distributed Systems: A Specification-based
Approach," Proceedings of the 1997 IEEE Symposium on Security and Privacy,
pp. 134-144

found more easily at:

http://seclab.cs.ucdavis.edu/papers/pdfs/ck-mr-kl-97.pdf

Stuart.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)

Current thread:

RE: Assessment tools/Scanners Staggs, Michael (Oct 08)
- RE: Assessment tools/Scanners Greg Shipley (Oct 08)
- <Possible follow-ups>
- Re: Re: Assessment tools/Scanners Greg Shipley (Oct 08)
- RE: Assessment tools/Scanners Staggs, Michael (Oct 08)
- Re: Assessment tools/Scanners Vin McLellan (Oct 10)
  - Re: Assessment tools/Scanners Dug Song (Oct 10)
    - Re: Assessment tools/Scanners Marcus J. Ranum (Oct 10)
    - Anomaly detection [was Re: Assessment tools/Scanners] Stuart Staniford-Chen (Oct 11)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Dug Song (Oct 12)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Stuart Staniford-Chen (Oct 12)
    - Re: Anomaly detection [was Re: Assessment tools/Scanners] Dug Song (Oct 12)
    - Pricing intrusions Stuart Staniford-Chen (Oct 12)
    - Re: Pricing intrusions Marcus J. Ranum (Oct 13)
    - Re: Pricing intrusions Fernando Trias (Oct 13)
    - Fragmentation Question Greg Shipley (Oct 13)
    - Re: Fragmentation Question Dug Song (Oct 14)
    - Re: Pricing intrusions Ryan M. Ferris (Oct 14)
    - Re: Pricing intrusions Stuart Staniford-Chen (Oct 13)
  - Re: Assessment tools/Scanners Greg Shipley (Oct 11)
    - Re: Assessment tools/Scanners Martin Roesch (Oct 11)

(Thread continues...)