The State of Anomaly Detection

Discussion in 'other security issues & news' started by spy1, Jul 1, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    "One of These Things is not Like the Others: The State of Anomaly Detection
    by Matthew Tanase
    last updated July 1, 2002


    "To some, our observations can be summarized succinctly as "bugs happen". That certainly is not news. But dismissing our
    results so cavalierly misses the point. Yes, bugs happen. But bugs can be fixed -if they are detected. The Internet is, as a whole, working remarkably well. Huge software packages (i.e., X11R5) can be distributed electronically. Connections span the globe. But the very success of the Internet makes some bugs invisible." - Steven Bellovin [1]

    This excerpt, from the well-known 1993 report Packets Found on an Internet, was written nearly nine years ago. As we all know, times have changed. Today, such "bugs", are likely part of an attempt to breach network security. The investigation of strange packets, the cited paper's topic, is now quite common. We know it as intrusion detection. In the past few years, intrusion detection systems have joined firewalls as the fundamental technologies driving network security. In the near future, a third component will emerge - anomaly detection.

    What is Anomaly Detection?

    Anomaly detection can be described as an alarm for strange system behavior. The concept stems from a paper fundamental to the field of security - An Intrusion Detection Model, by Dorothy Denning[2]. In it, she describes building an "activity profile" of normal usage over an interval of time. Once in place, the profile is compared against real time events. Anything that deviates from the baseline, or the norm, is logged as anomalous."

    Rest of article here: . Pete
  2. Checkout

    Checkout Security Rhinoceros

    Feb 11, 2002
    Hey Pete - are you having trouble with insomnia lately? That article cured me! :)
Thread Status:
Not open for further replies.