Re: When to do something about detected attacks (was Re: how to do...)

Aleph One (aleph1dfw.net)
Wed, 15 Apr 1998 22:37:21 -0500 (CDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: emaiwaldbigdog.fred.net: "Re: Intrusion Detection"
• Previous message: d: "Re: When to do something about detected attacks (was Re: how to do...)"
• Maybe in reply to: Jeff Sedayao: "When to do something about detected attacks (was Re: how to do...)"
• Next in thread: tqbfsecnet.com: "Re: When to do something about detected attacks (was Re: how to do...)"

On Wed, 15 Apr 1998, Sheila Or Bob (depends on who is writing0 wrote:

> Can we apply "data mining" techniques with some sort of
> security policy filter to the data we capture for an IDS? I think so.
> I think some products can do this.

There is actually a nice paper in the proceding of the last USENIX
security symposium on this topic. "Data Mining Approaches for Intrusion
Detection", Wenke Lee & Salvatore J. Stolfo. The provide two example of
ways to use data mining techniques for intrusion dectection. The first
uses system call traces as the data set. The second uses tcpdump output.
They had some good results but just like AD system the alrgorithms must be
trained to know what is "normal" or what is an atack signature.

> thanks!
> bob
>
> --
> real address is shsrms at erols dot com
> The Herbal Gypsy and the Tinker.
>

Aleph One / aleph1dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

• Next message: emaiwaldbigdog.fred.net: "Re: Intrusion Detection"
• Previous message: d: "Re: When to do something about detected attacks (was Re: how to do...)"
• Maybe in reply to: Jeff Sedayao: "When to do something about detected attacks (was Re: how to do...)"
• Next in thread: tqbfsecnet.com: "Re: When to do something about detected attacks (was Re: how to do...)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:47 CDT