Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Anomaly Detection SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Anomaly Detection
Ron Gula, of Dragon IDS and Tenable fame, has an interesting blog entry on monitoring large networks looking for suddent surges in atypical network traffic destined specific IPS or protocols.

Scenario: mobile malicious code compromises 150 hosts on your network.  Those hosts are loaded with bot software.  Bots need to talk to a command and control channel, and by observing these surges of bots connecting within a threshold of time... we can detect this anomolous pattern.

Ron has released code and screenshots on his research.  Definitely worth checking out.

Mike Poor    mike   <at>


49 Posts
Aug 5th 2006

Sign Up for Free or Log In to start participating in the conversation!