hi Bill,
> > I agree hold heartedly with dreamwvr. IDS is in its infancy. One point
> > that needs to be emphasized is that network based IDS uses two primary
> > means of detecting intrustions. The most common method is pattern
> > recognition. Attacks have a particular pattern (signature) that can be
> > recognized. The problem of course is (like virus detection) the attack
> > must be known, the signature created and then distributed to the IDS
> > systems. The second method of detection is differential detection. A
> > network has certain "normal" operating parameters and when operations go
> > outside the norm then an alarm is generated. The advantage with this
> > method is that it adapts automatically. The disadvantage is that it tends
> > to generate alarms for any unusual activity whether security related or
> > not. For example, updating software on clients generates a lot of
> > traffic that the IDS sees as abnormal.
Yes, Pattern recognition is the most accurate but inflexible methodology.
Whereas Anomoly Detection spawns more false postitves but if one
"had the time" this could be extended to become nearly intelligent;-))
> > The best approach is a combination of both methods. The reason the most
> > popular IDS products rely primarily on pattern recognition is because it
> > is the easiest to build and the easiest to sell. Dreamwvr is right about
> > the BEST never gets beyond first base and that applies to a lot of
> > products.
Like most things looking from both sides now tends to be more full circle
than closing off one perspective.
Best Regards,
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
