Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Anomaly Detection SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Anomaly Detection
Ron Gula, of Dragon IDS and Tenable fame, has an interesting blog entry on monitoring large networks looking for suddent surges in atypical network traffic destined specific IPS or protocols.

Scenario: mobile malicious code compromises 150 hosts on your network.  Those hosts are loaded with bot software.  Bots need to talk to a command and control channel, and by observing these surges of bots connecting within a threshold of time... we can detect this anomolous pattern.

Ron has released code and screenshots on his research.  Definitely worth checking out.

Mike Poor    mike   <at>


49 Posts
Aug 5th 2006

Sign Up for Free or Log In to start participating in the conversation!