1

I have read many papers on anomaly-based network intrusion detection. Am I correct that each of their techniques could be implemented as Snort preprocessor? If this is true, why there are no anomaly detection preprocessors available for Snort currently, despite the fact that there are many papers out there on this subject?

SPADE is no more included in snort as I learned. PHAD, by Bernhard Guillon, should be patched, not official. AnomalyDetection is of course available.

Are anomaly detection algorithms useless practically?

D.W.
  • 98,420
  • 30
  • 267
  • 572
Yasser
  • 353
  • 1
  • 3
  • 8
  • 2
    well you are yourself quoting stuff from research papers. Things done in the research environment need to be fit for production environments. Probably they aren't and that is why Snort doesn't have them implemented. – pnp Nov 12 '12 at 12:45

1 Answers1

2

There are two reasons:

  • First, anomaly-based network intrusion detection is harder to translate from research into practice than it might at first seem. It tends to raise many false alarms.

  • Second, those are research papers. Researchers often build a research prototype that's just good enough to test the idea (as a proof of concept). There's a great deal of additional work to build something practically deployable, so only a small fraction of research papers go that far. This is true across pretty much all of computer science research -- not just anomaly-based intrusion detection.

For your question about whether anomaly detection is useless in practice, see Neural networks & anomaly detection on this site. (The search bar is your friend; give it a try!)

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Thanks for your reply. The link was so helpful. So it seems to be hard or useless for Gbps throughput regarding the false positive detections. – Yasser Nov 13 '12 at 06:44
  • In Snort manual, there are some anomaly detections mentioned in frag3 and stream5, which are actually not related to anomaly detection, I think. These are called specification-based detection in papers, like data in SYN packet. However I am in doubt with sfportscan preprocessor. Is it anomaly-based really? Are there learnings involved? – Yasser Nov 13 '12 at 06:48
  • @YasserMZadeh I guess the snort-users mailing list would be of help to you for these inquiries. – pnp Nov 15 '12 at 09:21
  • @Yas: No, it's not. It's simply thresholding based on source/destination connections over time. This could be done in a signature but is much more efficient in a preprocessor. – Scott Pack Feb 02 '14 at 21:22