On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote: > This is why most of today's *successful* anomaly detection technologies > incorporate a learning or "behavioral" component that overcomes this kind of > problem. Take StealthWatch for instance. When a new DNS server comes online, > StealthWatch looks at the flows being generated by the server, figures out > what the server is and how it's behaving, then applies the appropriate > algorithms given the contextual awareness of the server's learned behaviors. > > In a nutshell: > > 1. New host detected. > 2. Let's watch it for a bit and figure out what it's up to. > 3. Now that we know what the machine is and does, apply the proper anomaly > detection techniques to the traffic generated by the host.
uhm... then I would rather not use Stealthwatch. If a new host comes online, I'd like to receive an alert on that. Also, letting the IDS guess what is normal may be suboptimal. For instance, if a host is hacked and starts an FTP server on a new IP address the hacker assigns (new host), the IDS will watch the FTP traffic of the pubstro and then consider it normal. Except that it isn't :) So having an IDS accept a new host and consider it's traffic normal without any sort of alerts of user intervention can hardly be considered a "successful" IDS. Regards, Frank -- Ciscogate: Shame on Cisco. Double-Shame on ISS.
signature.asc
Description: This is a digitally signed message part
