ossim - AlienVault
ossim - AlienVault
ossim - AlienVault
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2. The Detection Process<br />
If we had to summarize what we are trying to accomplish or what our project is about in a single<br />
phrase, it would be this: “Improve Detection Capability”<br />
In this section we will introduce the concepts related to network detection that will be developed<br />
throughout the document.<br />
Detectors<br />
We define a detector as any program capable of processing information in real time, usually low<br />
level information like traffic or system events, and capable of sending alerts when previously<br />
defined situations arise.<br />
These situations can be defined in either of two ways:<br />
1. By patterns, or rules defined by the user<br />
2. By anomaly levels<br />
Detection Capability<br />
Detection capabilities have improved enormously in recent years, the best example being IDSs,<br />
which are capable of detecting patterns at the most detailed level.<br />
In order to discuss the capability of a detector, we will define it using two variables:<br />
• Sensitivity or the capability our detector has for extensive and complex analysis in<br />
identifying possible attacks.<br />
• Reliability, which, as its name suggests, is the level of certainty provided by our detector<br />
when we receive warning of a possible event.<br />
Inadequate Detection<br />
Throughout this document we will see that despite advances in the scope of detection systems,<br />
their capabilities are still far from acceptable.<br />
Because of detector inadequacy in these two areas, we are confronted with the two main<br />
problems encountered today:<br />
• False positives. Detector unreliability or alerts that actually do not correspond to real<br />
attacks.<br />
• False negatives. Inadequate detection means that attacks go unnoticed.<br />
8