Re: Intro and questions (fwd)
Abdelaziz MOUNJI (amo@info.fundp.ac.be)
Wed, 22 Mar 95 17:56:18 GMT
> After reading about sick puppy, then his detractors, then his supporter, then
> his detractor, then his <his detractor> detractor. I'm moved to ask, 'can't
> we all just get along?' How about we talk about a new intrusion strategy. I'll
> start by asking how much interest does the group see in proactive strategies
> that allow a rule base to take action when someone misbehaveson a system?
>
Indeed, we have to move to more constructive discussions. Following Kevin's
suggestion, I am particularly interested in a rule-based approach to intrusion
detection. More specifically, we developped a distributed system for audit trail
analysis. In this system, distributed patterns of misbehavior are gathered at a
central host for a network-level detection of misbehavior.
To give an example, suppose you have 3 hosts h1-3, where 3 actions a1-3 occurred,
then it is interesting to consider the aggregate pattern a1a2a3 as a single
action. Most IDSs would consider each isolated (host-level) action a1-3 as
legitimate while the analysis of the aggregated pattern may reveal a malicious
action.
Is there any interest to discuss this issue by providing examples of such
'distributed patterns'.
Thanks-
--------------------------+-------------------------------------
| Abdelaziz Mounji | amo@info.fundp.ac.be |
| ASAX project | http://www.info.fundp.ac.be/~amo |
| Institut d'Informatique | voice: +32 81 724987 |
| University of Namur | Fax : +32 81 724967 |
----------------------------------------------------------------