An important thing that we should notice is that trying to identify what is wrong without a specific definition of what is wrong is as easy as defining what is right. So working with systems that, visually or not, try to show things that deviate from what is considered right will not work on situations where your variables can be in a wide range. Looking at IP adresses and port numbers is easy, but the problem will increase when we talk about variables from higher layers. Exactly because of that I think that anomaly based systems will work better on internal networks. The simple fact of restricting the number of sources or destinies of the communication will help. (back to the graphical discussion) As a suggestion, we may try to show visually the processes that users use in the network. Your sys admin accesses the Internet, e-mail, and a bunch of servers through SSH, from his workstation and from VPN at night. I can cleary see a plot out of the graphic when he starts to use telnet from the servers to other places at weekends. The problem here is how to put all these variables at only 3 dimensions. Can that thing called "phase space analysis" help on this? Regards, Augusto. On Thu, 19 Aug 2004 11:56:16 -0700, Tina Bird <tbird@precision-guesswork.com> wrote: > > > This is because telling what is "odd" is a very difficult thing to do on > > a computer. And I mean difficult in the scientific meaning of the world: > > we often lack the conceptual tools to do so. > > > > But really, it's nice to see that my research aren't a total waste of > > time :P > > > Oh, I know -- in an earlier life I worked on statistics -- multivariate > hypothesis tests, and that in a situation where I had continuous variables > and relatively well tested theories that gave me a reasonable model for > things I "ought" to see. But then I decided to move into a field that paid > a living wage ;-) > > Of course, I didn't have the sense to find >easy< problems to work on. > > This is why whenever I'm looking at logs or doing any other repetitive task, > I consciously try to observe what my brain is doing for pattern detection -- > and then fire messages off to Marcus and this list, if I notice anything > that might be helpful. Like the "sources of remote connections" request > yesterday, which came straight out of looking at data from machines > compromised in what's now being called the "Teragrid compromises." > > > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > -- Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 14:46:05 PDT