It's an interesting idea to do anomaly detection for a small network.
Arguably it's an easier problem to solve. For example, if there's a
dramatic increase in traffic to a certain port within a small network or
coming from a small network onto the public network, there's a chance
that something might be amiss (e.g. one of my machines is compromised).
I have never looked at software, which would monitor a network and for
example keep statistical track of traffic by port numbers. I'm assuming
it exists, and that it might be neat to build something onto that, so
that a finished product might be useful to non-experts on small networks.
It's a really intriguing idea ...
Michael Gale wrote:
Hello,
No .. you understood me correctly. I am researching it at the
moment as only a enthusiast but am thinking about trying to create a
small little app that could do network anomaly detection on a small
network.
From what I have gathered (which is not much at the moment) network
anomaly detection has only really been tested and used in large scale
academic networks.
Some papers describe that it has been tested / used on Internet
backbones and other large networks and involve monitoring internet
traffic.
Most of them tend to agree thought Network Anomaly Detection can not
work for a few reasons.
1. By statistically studying the network traffic of any given network
it can be noted that there is to much variation to statistically
monitor the network.
2. In order to provide a bases for the analyzes you would need to
train the anomaly detector on a clean network. This could be a problem.
The last point, it seems so far that most of the documentation I have
found is based on using anomaly detection as part of a IDS. Which
generates false alarms because not ever anomaly is an attack.
This is why I think it would be possible to create anomaly detector
which does only that. Graph and find anomalies (changes) in the network.
So I was curious if any one has had any experience with this before.
Insight or documentation would be a great help.
Michael.
Niels Voll wrote:
isn't network anomaly detection typically something, which can only
be done on rather large networks? In addition, wouldn't one need
management access (at least monitoring) to not only servers but
especially to large numbers of routing devices (or have NIDS devices
listening on a ton of network segments?).
Or did I misunderstand what you meant by anomaly detection? In what
context are you researching (e.g. academic, enthusiast, small
business, enterprise, ISP, govt)?
...Niels
Michael Gale wrote:
I'll take the lack of responses a no.
Thanks anyways.
Michael.
Michael Gale wrote:
Hello,
I am fairly new to the list :)
Does any one here have experience with a NIDS (Network Intrusion
Detection System) that uses a form of network anomaly detection ?
or has any one here used any commercial software that does or
claims to do network anomaly detection ?
The reason I am asking is I am trying to research the current topic
and have found a lot of view pro and against the method.
I am looking at network anomaly detection for the purpose of only
alerting as to what has changed on the network and not as a
security measure.
Thanks.
Michael.
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
