[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: academical questions

To: ids@uow.edu.au
Subject: Re: IDS: academical questions
From: Soeren Brandbyge <sab@brandbyge.dk>
Date: Sat, 10 Feb 2001 21:13:54 +0100
Cc: Marc Plaggemeier <mp@ndh.net>

Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Just a quick thought: You might want to look at "biometrics". I think
Dorothy Denning are referring to the well know fact that we all, within
a given time-domain, have a destinct typing patern and that it's
possible to detect the real user given that typing pattern. I don't know
the matematics.
If your goal is the actual commands issued and their context, you might
want to look at something like "hostsentry" (but others on this list are
surely more capable of pointing you in the right direction and
pinpointing some more appropriate applications).

Regards, 
S. Brandbyge

Marc Plaggemeier wrote:

> Hello,
> 
> I have some (possible hard) "academic" questions about IDS.
> I hope someone could help me.
> 
> First some notes. I have developed an IDS for my diploma thesis
> (university in bonn/germany). It is a SSH-Proxy which detects all commands
> given by the user. There a two parts. The anomaly detection, which compares
> the commands (standard deviation, minimum, maximum) with the normal
> behaviour of the user. And there is a misuse detection, which compares the
> commands and the server output to known attacks (known hacker tools, sources
> codes,  directory content or known exploits).
> 
> Now I have some question:
> 
> 1a. The mathematical background: I used the model developed by Dorothy
> Denning. The model uses the mean and standard deviation to calculate the
> probability that a command differs from the normal behaviour. The 
>"chebyschev
> inequality" is used to realisze this. But what assumptions must be given
> to use this model? I did not find any deeper comments. Only "this model is
> based on the assumption that all we know about ... are mean and standard
> deviation". I know the mathematical background (variance, actuarial
> expectation).
> 
> Which other approach exists to calculate the normal behaviour?
> 
> 1b: I tried to find a paper which describes the exact "algorithm" to
> calculate the normal behaviour? My systems splits an hour in six sections 
>(10
> minutes). The normal behaviour describes how many different commands
> the user uses in one section. I found the different statistical models, but
> my question is: how do other IDS calculate the profile? Do they calculate
> the profile over a fixed period of time? How do they compare the user
> behaviour? Only the last xx minutes or a longer period?
> 
> 2. Which other systems are based on the idea that an intrusion can be
> detected only by detect the user commands and compare them.
> 
> 3. Are there any IDS which compares the serveroutput to known attacks?
> 
> I hope you understand my questions ;-)) and someone can help me.
> If anybody knows some papers please tell me.
> 
> Greetings
> Marc
> 
> --
> Marc Plaggemeier <mp@ndh.net>, Webentwickler      fon : 02203/93530-0
> NDH IT Service AG                                 fax : 02203/93530-99
> 51149 Koeln, Theodor-Heuss-Str. 92-100, DE        http://www.ndh.net

Prev by Date: Re: IDS: Where has the content of D.E. Denning's "An Intrusion Detection Model"?
Next by Date: IDS: Is this laptop at high security risk?
Prev by thread: IDS: academical questions
Next by thread: IDS: Re: Neural Network IDS research
Index(es):
- Date
- Thread