Joseph Hamm wrote: >>IMHO comparing pure play behavior detection to IPS is like comparing >> apples and oranges. > > I couldn't agree more. I spoke up because Stefano brought up the topic > of anomaly detection.
I didn't, actually - it was brought up by other, I only felt right to chime in on my specific area of research :) > One thing that does bother me is how IPS has been > painted as a "magic bullet" by vendors (and even the press). It's a painful scene we have seen for most other technologies... you remember the PKI-fits-all dance, until 3-4 years ago, don't you ? :) > (purchase and maintain) a box everywhere you want coverage. Many folks > don't even know what NetFlow or sFlow is or how it can be used to > provide them much needed security information (and save them money). This for sure. I wouldn't, however, limit research on anomaly detection to statistical flow analysis. There is a lot more to it (automatic correlation of events, unsupervised learning on protocol behavior, etc) > This allows the NADS to find the piece of network infrastructure closest > to the threat (router, switch, firewall, etc.) and take blocking action > there in order to quarantine the attack. Brrrr. I'm not sure I would like that without a human filter. Best, Stefano Ph.D. Student Politecnico di Milano - Dip. Elettronica e Informazione www.elet.polimi.it/upload/zanero ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
