At 11:18 PM 9/9/2005, Frank Knobbe wrote:
On Thu, 2005-09-08 at 11:06 +0530, Sanjay Rawat wrote:
> the points which you raised are correct, but this is the underline
> assumption that you have CLEAN attack-free data to train your anomaly IDS.
> in the example, which you put, you need to ensure that your new host
is not
> compromised.
Well of course. I would hope that you can control your environment
enough so that you have an attack-free "window" where you can define, or
let it learn, the profile of "known good" traffic.
> Also, from time to time, you need to update the learning by
> putting your IDS in learning/training mode. In fact, such things are main
> barriers in deploying anomaly based IDS.
I disagree with that. If you retrain your anomaly based IDS on a
periodic bases, you will pollute your "known good" profile. Instead, I'd
suggest you retrain it whenever you made infrastructure changes and have
expected traffic present that deviate from the "normal" profile. Then
the IDS will adjust to the "new normal" traffic flow.
If you don't make any changes to the environment, I would not retrain
the IDS. So your "from time to time" action should be trigger by known
events (known host/traffic changes) and not blindly on a periodic
basis.
I agreed on this. Actually, may be I could not put it properly, but I meant
the same. Whenever one observes the changes or many false alarms (false
positive), one should think of retraining the IDS. also, if you are using
some "incremental learning algorithm", you need not to worry about loosing
(polluting) known learning. you need not to train you IDS on old+new data.
only new data is sufficient. however, this is valid only when there is no
change in the old behavior and some new behavior has been introduced.
regards
Sanjay
Cheers,
Frank
--
Ciscogate: Shame on Cisco. Double-Shame on ISS.
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
