[Cisspstudy] Fw: cisspstudy Digest, Vol 19, Issue 9 (IDS question)
twitwicki at hannaford.com
twitwicki at hannaford.com
Fri Jan 15 14:17:36 EST 2010
Shon Harris also seems to agree with your reasoning. She states that
"Statistical anomaly-based IDS is a behavioral-based system which do not
use predefined signatures bu rather are put in a learning mode to build a
profile of an environment's "normal" activities." The main weakness of
this type of IDS is the number of false positives since the envionemtnis
constantly changing. In reviewing practice questions I've come across
many example where the question is not constructed well or where I don't
agree with the answer given..
Tom Witwicki, CIPP
Director, Information Security
Hannaford Bros. Co.
207-885-2073
Join me on Linkedin!
http://www.linkedin.com/in/tomwitwicki
----- Forwarded by Thomas Witwicki/Technical Services/Corp/HBC on
01/15/2010 02:08 PM -----
cisspstudy-reques
t at cccure.org
Sent by: To
cisspstudy-bounce cisspstudy at cccure.org
s at cccure.org cc
Subject
01/15/2010 12:00 cisspstudy Digest, Vol 19, Issue 9
PM
Please respond to
cisspstudy at cccure
.org
Send cisspstudy mailing list submissions to
cisspstudy at cccure.org
To subscribe or unsubscribe via the World Wide Web, visit
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
or, via email, send a message with subject or body 'help' to
cisspstudy-request at cccure.org
You can reach the person managing the list at
cisspstudy-owner at cccure.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisspstudy digest..."
Today's Topics:
1. Question on IDS (Saurabh Bhargava)
2. Re: Question on IDS (Jef A.)
----------------------------------------------------------------------
Message: 1
Date: Fri, 15 Jan 2010 16:52:29 +0530 (IST)
From: Saurabh Bhargava <catchbhargava at yahoo.com>
To: The CISSP Study Mailing list <cisspstudy at cccure.org>
Subject: [Cisspstudy] Question on IDS
Message-ID: <354277.25971.qm at web94807.mail.in2.yahoo.com>
Content-Type: text/plain; charset="utf-8"
Hello Everyone:
Need your thoughts on below question:
1. which of the following is the is a weakness of both statistical anomaly
detection and pattern matching
A. Lack of learning model
B. inability to run in real time
C. Requirement to monitor every event
D. Lack of ability to scale
I think answer is C but author says its A.
My reasoning - Statistical IDS creates a profile of ?normal? and compares
activities to this profile. For that, its put in leaning mode and if an
attack was happening during "learning" mode, it may go undetected in
production environment as well.
Pattern matching depends on signatures so may not be able to pick up "zero
day" attacks.
Thoughts pls?
cheers, SB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20100115/5ffefcf5/attachment-0001.html
>
------------------------------
Message: 2
Date: Fri, 15 Jan 2010 08:23:10 -0500
From: "Jef A." <jeff132 at gmail.com>
To: The CISSP Study Mailing list <cisspstudy at cccure.org>
Subject: Re: [Cisspstudy] Question on IDS
Message-ID:
<2e06e8e61001150523o65f9456vccdbd25f86295bbd at mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
This question confused me a bit also but this is my reasoning for choosing
C. I was immediately able to rule out choices B & D because they
just didn't apply. In regards to answer A i considered the idea that
statistical anomaly detection is actually learning by comparing current
activities to behavior that it believes to be normal. Pattern matching
doesn't learn at all because it is only looking for a specific pattern, it
is not capable of finding any deviations from that pattern. However the
requirement to monitor every event is something that both devices must do
and i guess they are considering it a weakness.
i am curious to here what others have to say about this questions.
On Fri, Jan 15, 2010 at 6:22 AM, Saurabh Bhargava
<catchbhargava at yahoo.com>wrote:
>
> Hello Everyone:
>
> Need your thoughts on below question:
>
> 1. which of the following is the is a weakness of both statistical
anomaly
> detection and pattern matching
>
> A. Lack of learning model
> B. inability to run in real time
> C. Requirement to monitor every event
> D. Lack of ability to scale
>
> I think answer is C but author says its A.
>
> My reasoning - Statistical IDS creates a profile of ?normal? and compares
> activities to this profile. For that, its put in leaning mode and if an
> attack was happening during "learning" mode, it may go undetected in
> production environment as well.
>
> Pattern matching depends on signatures so may not be able to pick up
"zero
> day" attacks.
>
>
> Thoughts pls?
>
> cheers, SB
>
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20100115/285aa9ea/attachment-0001.html
>
------------------------------
_______________________________________________
cisspstudy mailing list
cisspstudy at cccure.org
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
End of cisspstudy Digest, Vol 19, Issue 9
*****************************************
More information about the cisspstudy
mailing list