[EMAIL PROTECTED] wrote: > found little on that subject
There are hundreds of paper on that topic, I kindly advise that you search the usual engines a bit better :) What you are describing is a general and vague concept of a learning algorithm which tries to find outliers on network traffic. A nice concept, but you really should work out the details a bit more :) > anomalies happen(network data will be compared to the database built in > the first stage), How ? this is one of the deepest questions in unsupervised learning :) > 1-information about each hostname,IP address,and MAC address. This is something any tool for arpspoofing detection already does... > 2-ports open on each host and ports that each host connects to.the IDS > should issue an alert if the host opens a port which wasnt open before > or tries to connect to a new port; You should check Marcus Ranum ideas on this subject, and also the Arbor Networks products follow similar patterns. But this is really "old news" in research terms. > 3-times each host uses the network and which usernames it uses to > connect to > network resources; this should enable the IDS to detect if someone else > is > using the computer or using a different username. This is not an indication of an attack, actually. Best regards and good luck, Stefano Zanero ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
