[352] in Intrusion Detection Systems
On the IDS environment
daemon@ATHENA.MIT.EDU (choe song kwan)
Tue Sep 19 23:37:11 1995
From: nolja@oberon.postech.ac.kr (choe song kwan)
To: ids@uow.edu.au
Date: Wed, 20 Sep 1995 00:44:12 +0900 (GMT+9:00)
Cc: nolja@oberon.postech.ac.kr
Reply-To: ids@uow.edu.au
Thinking about the implementation of IDS, I've got a discussion point.
Suppose that you are now implementing IDS which you wish to run in real-time.
You want to use that IDS in some systems where a great many people's account exist.
And it incorperates rule-based penetration identification mechanism with just one rule-base.
I think, because there are many people in system, there is a possibility that
the IDS would not operate in real-time. It will waste much time in useless comparison or searching processes.
So, I think that the system environment should be classified such as banking evironment, academic environment, public service env and office env ...
And then, you should make ad-hoc rule-base after specifying the characteristics of each environment.
That method , I think, will reduce the processing time for real-time detection.
Why IDS should be universal?
Why IDS should be independent of the system evironment?
I don't know the reason...
I want your comments on my idea.
Thank you ..
nolja@oberon.postech.ac.kr
