Why Anomaly Based Intrusion Detection Systems are a Hax0rs Best Friend
Results 1 to 3 of 3

Thread: Why Anomaly Based Intrusion Detection Systems are a Hax0rs Best Friend

  1. #1
    Member
    Join Date
    Nov 2002
    Posts
    32

    Why Anomaly Based Intrusion Detection Systems are a Hax0rs Best Friend

    Why Anomaly Based Intrusion Detection Systems are a Hax0rs Best Friend

    This presentation was given at Summer DefCon 2003 in Las Vegas. The author has run one of the leading stand-alone anomaly IDS products within a large University environment to form an opinion on how well it protects and what value it provides.

    This presentation gives an overview and background on anomaly based IDS and how it compares to signature based IDS. Diving into what are the strengths and weaknesses. Organizations trying to replace their signature based IDS with an anomaly based IDS will be setting themselves up for failure. After listening and understanding this presentation, it becomes easier to see why the anomaly IDS works best if integrated together with standard IDS, but can not live on its own.

    http://www.issadvisor.com/viewtopic.php?t=390
    ISS you are the besthttp://www.issadvisor.com/images/personal/pisson.gifbecause you piss on the rest

    [gloworange]www.issadvisor.com [/gloworange]

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Haven't had time to study it in detail yet, but it sems to follow through from the more conventional AV concepts? A pattern based system will detect patterns that we know, a behavioural based system will detect SOME patterns that we have not seen yet?. "Heuristics" seem to live somwhere inbetween?

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    The paper has many good points. My solution is based on two signature based IDS units (one inside and one outside) and two hueristic (anomoly) based units configured the same way. I have a management console where I gather info from these appliances and from other devices such as firewalls, routers and a few other open source utilities where I can paint an exact picture of events both real time and historical. No, I won't give out the names of the products .
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides