> Over time I think the current crop of IDS are going to incorporate some form(s)
> of statistical anomaly detection. But let me make a guess: they will do the
> anomaly detection against the alert outputs of the IDS sensors. So instead of
> the individual IDS sensor doing anomaly detection, there will be anomaly detection
> capabilities in the post-processor that manages alerts. This is/will be critical
> since at that point the data has already been turned into diagnosed information
> that is accessible to the end user. Of course, the really weird stuff will be below
> the radar screens of such systems and will be missed... There are already a
> number of researchers using IDS sensors outputs as inputs into statistical
> anomaly detection systems. In other words, they'll tell you:
> "the number of CODE RED alerts is 2x the standard deviation of alerts.
> you've got an abnormally high number of CODE RED alerts!!!"

Could a statistical sensor be useful doing the reverse of this as well?

Suppose there is a signature rule that you'd like to apply, but it just generates too many false
positives. If you, however, know statistically what your normal traffic
flow is, you could use a statistical sensor to trigger these additional
signature rules when certain traffic levels are exceeded.

For example: If you have a fair amount of steady legitimate traffic to
port x that looks similar to y vulnerability. The signature you have for Y
vulnerability earmark uncommon, but legit traffic as well. So you dont
normally be wanting to check this signature. However, if your
traffic to port x doubles one day, your statistical sensor could turn on
the signature checking for vulnerability Y. When you get the alerts,
you'll already have some correlation done for you -- double traffic to
port x that also matches the signature for vulnerability Y. This would
tend to be, I think, less likely to be a false positive...and a good way
to augment signature detection.

-Jack Whitsitt

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]