Hi I see what you are talking about now ... Bar snort, where you may build a special filter to detect some of what you say, it would be an intriguing task to be able to trigger an anomaly alert when traffic on a certain port increases or changes significantly. I doubt it would have any usefulness in anything but the most stable production-style networks, and in that situation a trained eye and a good mrtg report would likely result in anomaly detection. I can't see it being useful in a small home-like network, any one of your family or s.b. member can fire-up a skype on an odd port and create an instant peek on some graphs triggering an anomaly. Needless to say, monitoring a server-farm like that would likely detect an intrusion, but then so will snort and any other ids ... just my 0.02 CAD. Cheers Szemir
On February 7, 2005 22:59, Niels Voll wrote: > It's an interesting idea to do anomaly detection for a small network. > Arguably it's an easier problem to solve. For example, if there's a > dramatic increase in traffic to a certain port within a small network or > coming from a small network onto the public network, there's a chance > that something might be amiss (e.g. one of my machines is compromised). > I have never looked at software, which would monitor a network and for > example keep statistical track of traffic by port numbers. I'm assuming > it exists, and that it might be neat to build something onto that, so > that a finished product might be useful to non-experts on small networks. > > It's a really intriguing idea ... > > Michael Gale wrote: > > Hello, > > > > No .. you understood me correctly. I am researching it at the > > moment as only a enthusiast but am thinking about trying to create a > > small little app that could do network anomaly detection on a small > > network. > > > > From what I have gathered (which is not much at the moment) network > > anomaly detection has only really been tested and used in large scale > > academic networks. > > > > Some papers describe that it has been tested / used on Internet > > backbones and other large networks and involve monitoring internet > > traffic. > > > > Most of them tend to agree thought Network Anomaly Detection can not > > work for a few reasons. > > > > 1. By statistically studying the network traffic of any given network > > it can be noted that there is to much variation to statistically > > monitor the network. > > > > 2. In order to provide a bases for the analyzes you would need to > > train the anomaly detector on a clean network. This could be a problem. > > > > The last point, it seems so far that most of the documentation I have > > found is based on using anomaly detection as part of a IDS. Which > > generates false alarms because not ever anomaly is an attack. > > > > This is why I think it would be possible to create anomaly detector > > which does only that. Graph and find anomalies (changes) in the network. > > > > So I was curious if any one has had any experience with this before. > > Insight or documentation would be a great help. > > > > Michael. > > > > Niels Voll wrote: > >> isn't network anomaly detection typically something, which can only > >> be done on rather large networks? In addition, wouldn't one need > >> management access (at least monitoring) to not only servers but > >> especially to large numbers of routing devices (or have NIDS devices > >> listening on a ton of network segments?). > >> > >> Or did I misunderstand what you meant by anomaly detection? In what > >> context are you researching (e.g. academic, enthusiast, small > >> business, enterprise, ISP, govt)? > >> > >> > >> ...Niels > >> > >> Michael Gale wrote: > >>> I'll take the lack of responses a no. > >>> > >>> Thanks anyways. > >>> > >>> Michael. > >>> > >>> Michael Gale wrote: > >>>> Hello, > >>>> > >>>> I am fairly new to the list :) > >>>> > >>>> Does any one here have experience with a NIDS (Network Intrusion > >>>> Detection System) that uses a form of network anomaly detection ? > >>>> or has any one here used any commercial software that does or > >>>> claims to do network anomaly detection ? > >>>> > >>>> The reason I am asking is I am trying to research the current topic > >>>> and have found a lot of view pro and against the method. > >>>> > >>>> I am looking at network anomaly detection for the purpose of only > >>>> alerting as to what has changed on the network and not as a > >>>> security measure. > >>>> > >>>> Thanks. > >>>> > >>>> Michael. > >>> > >>> _______________________________________________ > >>> clug-talk mailing list > >>> [email protected] > >>> http://clug.ca/mailman/listinfo/clug-talk_clug.ca > >>> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > >>> **Please remove these lines when replying > >> > >> _______________________________________________ > >> clug-talk mailing list > >> [email protected] > >> http://clug.ca/mailman/listinfo/clug-talk_clug.ca > >> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > >> **Please remove these lines when replying > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
