> After reading about sick puppy, then his detractors, then his supporter, then > his detractor, then his <his detractor> detractor. I'm moved to ask, 'can't > we all just get along?' How about we talk about a new intrusion strategy. I'll > start by asking how much interest does the group see in proactive strategies > that allow a rule base to take action when someone misbehaveson a system? > Indeed, we have to move to more constructive discussions. Following Kevin's suggestion, I am particularly interested in a rule-based approach to intrusion detection. More specifically, we developped a distributed system for audit trail analysis. In this system, distributed patterns of misbehavior are gathered at a central host for a network-level detection of misbehavior. To give an example, suppose you have 3 hosts h1-3, where 3 actions a1-3 occurred, then it is interesting to consider the aggregate pattern a1a2a3 as a single action. Most IDSs would consider each isolated (host-level) action a1-3 as legitimate while the analysis of the aggregated pattern may reveal a malicious action. Is there any interest to discuss this issue by providing examples of such 'distributed patterns'. Thanks- --------------------------+------------------------------------- | Abdelaziz Mounji | amo@info.fundp.ac.be | | ASAX project | http://www.info.fundp.ac.be/~amo | | Institut d'Informatique | voice: +32 81 724987 | | University of Namur | Fax : +32 81 724967 | ----------------------------------------------------------------