Re: Anomaly detection [was Re: IDS: Assessment tools/Scanners]

[Dug Song <dugsong@monkey.org>]

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
---
On Tue, 12 Oct 1999, Stuart Staniford-Chen wrote:

> One comment that caught my eye: you misclassify IDIOT as a system
> based on machine learning.  If I recall correctly, IDIOT is basically
> a rule based system... the petri-net patterns are all written by a
> human, and not inferred from data by the machine...

ach, you're right. it's been a long time since i looked at IDIOT, and i
misremembered it as actually having implemented predictive pattern
generation - but it's much simpler than that.

> We only disagree terminologically... It seems useful to distinguish
> the "machine learning" type of anomaly detection from the "human
> specification" type of anomaly detection.

sure. but they're still both anomaly detection, no? :-)

the terminology in this area can be confusing. i've also seen "equality
matching" used as a synonym for "specification-based" ID, etc.

> http://seclab.cs.ucdavis.edu/papers/pdfs/ck-mr-kl-97.pdf

thanks for the reference!

-d.

---
http://www.monkey.org/~dugsong/