Focus on IDS
Re: Snort with an expert system Jun 25 2009 11:25AM
Tomas Olsson (tol sics se)
My comments in the text below.

Stefano Zanero wrote:
>> "A false positive is an alert that triggers on normal traffic where no
>> intrusion or attack is underway"
>>
>
> That's a good definition, but not really complete. Under that
> definition, if you place a rule that flags IRC connections, and it
> fires, is that a false positive?
>
Well, then you do not use snort as an automated intrusion detector but
as a generic log monitor. No problem with that,
but I would say it is a false positive if the IRC connection is not
considered an intrusion.

> Is it a false positive a case where there is no rule, or the traffic
> does not match with the rule, and the engine still fires?
>
>
This does not fit with the above definition since the alert must be
triggered by the traffic.
> Is it a false positive a case where a rule correctly matches, but the
> user didn't want to be alerted to that traffic ?
>

Yes, if there was no attack or intrusion triggering the alert. But, why
would the user not want to be alerted if it is a real intrusion?

With respect to using the alerts as input to our algorithm, no of these
objections are important. We just use the type of alerts as sensor data
that we want to analyze to see when the frequencies of each type of
alert diverge from what previously has been observed.
>
>> In addition, I don't understand why there would be no reason that this
>> algorithm would work. Could you explain? The algorithm is developed by
>> experts in Bayesian statistics and has been applied in other fields as
>> well.
>>
>
> The algorithm type has apparently no relevance to the problem. Why
> should a false positive be statistically different, in the sense you are
> considering, from a true positive?
>

Well, there is nothing that says that there must be any difference
between a false and a true alert. However, assume that there are
legitimate traffic that triggers false alerts on a regular basis. With
our algorithm, we learn to recognize the frequency pattern of these
alerts. Later, suddenly there appears malicious traffic triggering true
alerts, maybe for a more limited time. Then would not the frequency
pattern of the generated alerts change in some way? We can detect that
change, but also the collective change of different alert types not
shown from a single alert type.

Kind regards
Tomas

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus