[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IDS: academical questions

To: ids@uow.edu.au
Subject: IDS: academical questions
From: Marc Plaggemeier <mp@ndh.net>
Date: Wed, 7 Feb 2001 13:44:53 +0100

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Hello,

I have some (possible hard) "academic" questions about IDS. 
I hope someone could help me.

First some notes. I have developed an IDS for my diploma thesis 
(university in bonn/germany). It is a SSH-Proxy which detects all commands
given by the user. There a two parts. The anomaly detection, which compares
the commands (standard deviation, minimum, maximum) with the normal
behaviour of the user. And there is a misuse detection, which compares the
commands and the server output to known attacks (known hacker tools, sources
codes,  directory content or known exploits).

Now I have some question:

1a. The mathematical background: I used the model developed by Dorothy
Denning. The model uses the mean and standard deviation to calculate the
probability that a command differs from the normal behaviour. The "chebyschev 
inequality" is used to realisze this. But what assumptions must be given
to use this model? I did not find any deeper comments. Only "this model is 
based on the assumption that all we know about ... are mean and standard 
deviation". I know the mathematical background (variance, actuarial
expectation).

Which other approach exists to calculate the normal behaviour?

1b: I tried to find a paper which describes the exact "algorithm" to
calculate the normal behaviour? My systems splits an hour in six sections (10
minutes). The normal behaviour describes how many different commands
the user uses in one section. I found the different statistical models, but
my question is: how do other IDS calculate the profile? Do they calculate
the profile over a fixed period of time? How do they compare the user
behaviour? Only the last xx minutes or a longer period?

2. Which other systems are based on the idea that an intrusion can be
detected only by detect the user commands and compare them.

3. Are there any IDS which compares the serveroutput to known attacks?

I hope you understand my questions ;-)) and someone can help me. 
If anybody knows some papers please tell me.

Greetings
Marc

-- 
Marc Plaggemeier <mp@ndh.net>, Webentwickler      fon : 02203/93530-0
NDH IT Service AG                                 fax : 02203/93530-99
51149 Koeln, Theodor-Heuss-Str. 92-100, DE        http://www.ndh.net

Prev by Date: IDS: Neural Network IDS research
Next by Date: IDS: Re: Neural Network IDS research
Prev by thread: IDS: Neural Network IDS research
Next by thread: Re: IDS: academical questions
Index(es):
- Date
- Thread