Wednesday, September 5, 2012

Anomaly Detection

Most network security monitoring techniques use one of two approaches:

  • Signature-based detection (i.e., "I know this specific activity is bad")
  • Pattern-based detection (i.e., "I know this pattern of activity is bad")
Those are both well and good, but they leave a gaping hole.  What is the answer to the question: "Is this previously unknown activity normal and expected, or is it weird and unexpected?"

The way to answer that question is through anomaly-based detection techniques.  Unfortunately, at the present time, we as a community do not have so many mature, production-ready approaches to anomaly-based detection, nor do we have many vendor options.

I am cautiously optimistic that in the coming years, we will begin to mature out capabilities in this area.  It is sorely needed.

No comments:

Post a Comment