Re: When to do something about detected attacks (was Re: how to do...)

From: Aleph One (aleph1at_private)
Date: Wed Apr 15 1998 - 20:37:21 PDT

Next message: Moses, Ikoedem: "tesrdrop attack"

Previous message: Martin W Freiss: "Re: how to do intrusion detection right"
Maybe in reply to: Jeff Sedayao: "When to do something about detected attacks (was Re: how to do...)"
Next in thread: Jeff Sedayao: "Re: When to do something about detected attacks (was Re: how to do...)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 15 Apr 1998, Sheila Or Bob (depends on who is writing0 wrote:

> Can we apply "data mining" techniques with some sort of
> security policy filter to the data we capture for an IDS?  I think so. 
> I think some products can do this.

There is actually a nice paper in the proceding of the last USENIX
security symposium on this topic. "Data Mining Approaches for Intrusion
Detection", Wenke Lee & Salvatore J. Stolfo. The provide two example of
ways to use data mining techniques for intrusion dectection. The first
uses system call traces as the data set. The second uses tcpdump output.
They had some good results but just like AD system the alrgorithms must be
trained to know what is "normal" or what is an atack signature.

> thanks!
> bob
> 
> -- 
> real address is shsrms at erols dot com
> The Herbal Gypsy and the Tinker.
> 

Aleph One / aleph1at_private
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Next message: Moses, Ikoedem: "tesrdrop attack"
Previous message: Martin W Freiss: "Re: how to do intrusion detection right"
Maybe in reply to: Jeff Sedayao: "When to do something about detected attacks (was Re: how to do...)"
Next in thread: Jeff Sedayao: "Re: When to do something about detected attacks (was Re: how to do...)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:05 PDT