Sanjay Rawat wrote: > Hi Stefano: > I got confused over one comment made by you: "First hint of the day: if > there is a regexp there, it's NOT anomaly > detection." why it is so? I can use association or frequent episode > rules to capture normal behavior (you know this), and I can use regexp > to represent such rules.
Let me rephrase my comment then: "If there is a GIVEN SET of regexp there, it's not anomaly detection" If you create an induction algorithm for GENERATING a set of rules describing normal behavior, you are creating an anomaly detection system; if you instead give your customer a predefined set of rules to match his traffic against, you cannot be far away from simple "protocol anomaly detection" systems. Best, Stefano Zanero --------------------------- Secure Network S.r.l. www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
