> already be necessary to define what is the normality from a network
> point of view, which is normal for then giving alarms on what leaves the
> framework.
Yes, this is a powerful approach, and one for which Bro is well suited.
In the research world it's termed specification-based intrusion detection,
but this hasn't yet caught on as a term in the commercial world.
Let me be a bit more precise. You don't define what is *normal*, but
rather what is *allowed* (including rare-but-okay forms of activity).
So you form a specification of allowed behavior and flag any activity
that doesn't comply with it.
The main drawback of this approach is that it takes considerable manual
effort to form the specifications and keep them up to date. (If instead
you automatically learn the specifications, then you're back to doing
anomaly detection.)
> > already be necessary to define what is the normality from a
> > network point of view, which is normal for then giving alarms on
> > what leaves the framework.
>
> Yes, this is a powerful approach, and one for which Bro is well
> suited. In the research world it's termed specification-based
> intrusion detection, but this hasn't yet caught on as a term in the
> commercial world.
Let me be a bit more precise. You don't define what is *normal*, but
rather what is *allowed* (including rare-but-okay forms of activity).
So you form a specification of allowed behavior and flag any activity
that doesn't comply with it.
Ok, i understand the difference and this makes sense.
The main drawback of this approach is that it takes considerable
manual effort to form the specifications and keep them up to date.
Yes, it's the same drawback as of signature's NIDS i think (considering
the rules as specifications).
And it's why i use Bro for some times.
(If instead you automatically learn the specifications, then you're
back to doing anomaly detection.)
Speaking of specifications here, do you mean all the traffic ?
In all the cases with approachs likes this, we may have to make
corrections as with neural networks for example (where we'll have to
specify upon a result if it's correct or not).
Yes, it's the same drawback as of signature's NIDS i think (considering
the rules as specifications).
Pretty much. Two differences are (1) signatures are easy to share, since
they describe attacks, while specifications aren't, since they describe
local environments, and (2) signatures are bad at detecting unknown types
of attack, while specifications can do this quite well.
Speaking of specifications here, do you mean all the traffic ?
Yes, ideally.
In all the cases with approachs likes this, we may have to make
corrections as with neural networks for example (where we'll have to
specify upon a result if it's correct or not).
Well, then it starts drifting away from specification-based and towards
anomaly detection. In true specification-based intrusion detection,
corrections are done manually, to ensure they correspond with intended
specification updates.
> Yes, it's the same drawback as of signature's NIDS i think
> (considering the rules as specifications).
Pretty much. Two differences are (1) signatures are easy to share,
since they describe attacks, while specifications aren't, since they
describe local environments, and (2) signatures are bad at detecting
unknown types of attack, while specifications can do this quite well.
Sure, it's why i really like the approach used by Bro and specifically
the use of policies. With them, i'm able to define my environment and
to regulate the parameters of detection compared to this last.
> In all the cases with approachs likes this, we may have to make
> corrections as with neural networks for example (where we'll have to
> specify upon a result if it's correct or not).
Well, then it starts drifting away from specification-based and
towards anomaly detection. In true specification-based intrusion
detection, corrections are done manually, to ensure they correspond
with intended specification updates.
I agree with you, i was not rather precise in my remarks and was
speaking of anomaly-based detection using something likes ANN
(artificial neural network).
I guess you may have some traffic at Berkeley so how do you manage
defining "allowed" things ?
At first a cartography of flows has being made, then you choose to
"allow" a few of them and build the specifications ?
Much more specific into specification based. Like if there is one
specification "a
valid SMTP greeting is no longer than NN bytes long . We need to know
that NN bytes. Similiarly I believe that there are some specifications
built in bro. Is there any way to know more about those specifications
like how threshold is set... Can any one suggest me any reference
which will help me know more about this stuff...
