We will begin our discussion by talking about false positives and false negatives, which are ever present factors in the life of an intrusion analyst. We will then discuss the notion of Events of Interest (EOI), and their relevance to the event analysis process. We will also go over techniques for judging the severity of a particular event. Additionally, we will propose a way to handle long term conditions that might result from a prolonged exposure to attacks. | Network Based Intrusion Detection Tutorial 1 Introduction to the basic approaches and issues of Intrusion Detection IDIC - SANS GIAC LevelTwo 2000 2001 1 Hello Welcome to the first half of our network based intrusion detection tutorial where we will introduce you to the basic approaches of intrusion detection. In this section we will discuss a rulebased analysis process by going through the topics listed on your next slide. At the end of the section we will talk about some of the methods currently used to perform intrusion detection. 1 Before We Begin False positives False negatives EOI dictionary signatures profile changes Severity criticality lethality -countermeasures system network Long term conditions IDIC - SANS GIAC LevelTwo 2000 2001 2 We will begin our discussion by talking about false positives and false negatives which are ever present factors in the life of an intrusion analyst. We will then discuss the notion of Events of Interest EOI and their relevance to the event analysis process. We will also go over techniques for judging the severity of a particular event. Additionally we will propose a way to handle long term conditions that might result from a prolonged exposure to attacks. 2 Sources of Data All data observable or not There are very few situations in which we are able to collect all the data. We need to develop techniques that allow us to routinely locate Events of Interest EOI in the data we are able to collect so that we know where to focus our attention.
