From: Stefano Zanero (zaneroelet.polimi.it)
Date: Fri Feb 03 2006 - 14:39:38 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the_aokyahoo.com wrote:

> found little on that subject

There are hundreds of paper on that topic, I kindly advise that you
search the usual engines a bit better :)

What you are describing is a general and vague concept of a learning
algorithm which tries to find outliers on network traffic. A nice
concept, but you really should work out the details a bit more :)

> anomalies happen(network data will be compared to the database built in
> the first stage),

How ? this is one of the deepest questions in unsupervised learning :)

> 1-information about each hostname,IP address,and MAC address.

This is something any tool for arpspoofing detection already does...

> 2-ports open on each host and ports that each host connects to.the IDS
> should issue an alert if the host opens a port which wasnt open before
> or tries to connect to a new port;

You should check Marcus Ranum ideas on this subject, and also the Arbor
Networks products follow similar patterns.

But this is really "old news" in research terms.

> 3-times each host uses the network and which usernames it uses to
> connect to
> network resources; this should enable the IDS to detect if someone else
> is
> using the computer or using a different username.

This is not an indication of an attack, actually.

Best regards and good luck,
Stefano Zanero

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]