On Wednesday, October 13, 1999 1:46 PM, Rick Smith <rick_smithat_private> wrote: > At 12:19 PM 10/13/99 -0500, Don Helms wrote: > > >However, you can track the activity on a given account and see if the > patterns > >change. For example, the guy that logs in to one app every > moorning, does > his > >work and goes home. If suddenly that user is running this > app, that app and > >poking round at random, his password might have been > compromised. Also keep > >an eye on time of day for new and unusual activity. > > Does anyone have experience with such a thing in an operational > environment? My impression was that these systems were had > very limited > benefits. The NIDES project concluded that detecting these events was sporadic at best, and was subject to fairly high levels of both false positive and false negative. Then again, this was 1993, so there has been a while for technology to move ahead (SAFEGUARD final report, 12/93, SRI International). What seems much easier is not to look for access with a compromised password, but rather access with a known user account and an unknown password (brute force attacks). These leave logs basically everywhere. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:55 PDT