Have a look at the SPADE ( Statistical Packet Anomaly Detection Engine ) project for Snort.
http://www.computersecurityonline.com/spade/ :-) Si On 1 Feb 2006 19:41:16 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > hello, > im a computer science student and i have to do my graduation project > next > semester, i want to do it on anomaly IDS's. i have searched the > internet and > found little on that subject,here are my ideas on how to implement a > network > anomaly IDS,please correct me where im wrong or if u have any other > references or ideas i would be happy to hear from you: > the IDS will have 2 stages;first it will study the network traffic and > build > some kind of a database that keeps what should be marked as 'safe' and > after > collecting enough information it should start running and issue alerts > when > anomalies happen(network data will be compared to the database built in > the > first stage),this is the data im going to collect: > 1-information about each hostname,IP address,and MAC address.(i think > this > should stop ARP Poisoning attacks by comparing later traffic to the > database > of MAC addresses associated with IP addresses) > 2-ports open on each host and ports that each host connects to.the IDS > should issue an alert if the host opens a port which wasnt open before > or > tries to connect to a new port; with this i think that exploits that > use > bind or connectback shellcode should be stopped. > 3-times each host uses the network and which usernames it uses to > connect to > network resources; this should enable the IDS to detect if someone else > is > using the computer or using a different username. > > this is it :) i know that this is not near enough and that is why im > sending > this email, for example if someone uses an upload/exec shellcode in an > exploit i dont think that the IDS will detect it, or if a trojan > connects to > a common port(for example port 80) the IDS won't notice it. > another thing i want is to minimize false positives,which is an > important > thing.the main aim of the IDS will be to stop 0day attacks from > happening, > so if anyone has any ideas or any references i would really appreciate > it. > thank you, > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > -- Simon Biles CISSP, OPSA, BS7799 Lead Auditor, MBCS ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
