>Well, part of this is obviously the heavily-entrenched `signature'
>mentality which characterises the (vast) majority of system monitoring/log
>analysis/intrusion detection/antivirus/spam handling products today.
And, it seems there is a reason for that. The signature stuff actually
works (to some extent...)! IMHO, what is more important for its commercial
viability, it also seems easier to _demonstrate_ that it does work ("See
how many CodeRed attempts we got... horrible, isn't it ... yeah, I know
its a 3 year old worm..." :-)) On the other hand, it seems that
_sometimes_ 'anomaly detection' is just another way of saying 'it MIGHT
work, just not today' :-) Reading many of the anomaly detection papers
that were published over the last 20 years, makes one wonder why all
_leading_ commercial NIDS are signature-based (or built upon the
signature-based cores with some anomaly pieces added). Note that I don't
discount statistical anomaly detection (I think it rocks!), I am just
somewhat skeptical about its current state as applies to producing
_actionable_ alerts...
>My contention: if you can't enunciate such a thing, then the concept of
>`anomaly' is almost certainly poorly defined.
Even if you can, but chose a poor model - your anomaly detection will
likely boil down to an "improved random event generator" :-)
Best,
--
Anton A. Chuvakin, Ph.D., GCIA, GCIH
http://www.info-secure.org
http://www.securitywarrior.com
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Aug 31 2004 - 11:57:06 PDT