Friday, August 25, 2006

On "Behavior vs. Innovation"

So, I was reading this blog by the eEyE guy and he mentioned that some of the techniques used to fight fraud in the banking industry (such as profiling, etc) won't work too well in network security since the banking is much more static. Specifically, he said: "The premise that underlies most behavior based systems - 'If I haven't seen it before, it's not allowed' - is an Achillies heel in an industry where, by definition, creating what you haven't seen before is it's lifeblood."

I think he is being too harsh on this, 'If I haven't seen it before, it's not allowed' still works pretty well in many areas (such as log analysis), especially if you use a milder version of 'If I haven't seen it before, it's *suspicious*'...

Dr Anton Chuvakin