Monday, November 05, 2007

Anomaly Detection Failures?

A fun read from Bruce Schneier: "We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong."

Now, narrow it down from society to your network? Do you "fight the different" on your network? Is it working well? Just a thought ...

2 comments:

Anonymous said...

I think trying to find anomalies is probably the core of intrusion detection. If you don't "fight the different" on your network then how do you go about finding incidents? It might not be perfect, but to my knowledge it's our only option.

Anton Chuvakin said...

Of course, I love anomaly detection - I am just commenting on Bruce's piece.

Anomaly detection works well in networks: different behav on a network is usually much more significant/dangerous than a human behaving differently in society (subject of Bruce's piece)

So,
- different network behavior: jump on it

- different person behavior: might well be perfectly legit

Dr Anton Chuvakin