Questions tagged [anomaly-detection]
The anomaly-detection tag has no usage guidance.
31
questions
0
votes
0
answers
25
views
Auditd and Auditbeat compatibility when using Sigma
I'm looking to integrate Sigma rules into my SOC ecosystem, and am bumping into issues with using Sigma rules.
Specifically, auditd includes a "type" field which tags logs with some category,...
0
votes
0
answers
22
views
Sigma "keywords" rules and Auditbeat
I've recently begun using Auditbeat for capturing and streaming audit logs from my Linux machine.
I browsed the main rules repository, and noticed that many rules rely on the keywords feature of Sigma ...
1
vote
1
answer
169
views
Understanding XDR Detection Methods
I'm interested in security and redteaming in particular, and as I'm learning about the subject I'm trying to find out what kind of things a blue team EDR/XDR solution will look for as part of its ...
0
votes
1
answer
454
views
Misuse vs anomaly detection alerts
Adam always reads his e-mails on Sundays around 5 pm. This Saturday,
at 11 am, he accessed his inbox. Which will generate a false positive?
Source slide 10/41
Misuse-based IDS or anomaly-based IDS? ...
0
votes
0
answers
157
views
Is every packet of a hostile network flow hostile?
We are building a packet based anomaly detection system and I'm trying to find labeled packets.
Such dataset doesn't exist based on my search, but I can find labeled flows.
Can we say that every ...
1
vote
1
answer
1k
views
OWASP CRS Anomaly scoring, ModSecurity WAF
I'm getting into OWASP CRS with ModSecurity and was investigating the way OWASP calculate the anomaly score in the REQUEST-901-INITIALIZATION.conf they set the following lines:
setvar:'tx....
0
votes
0
answers
45
views
My PC was infected by belombrea dot com. Kaspersky didn't detect it. Is a factory reset enough? [duplicate]
Also I had it for around 3 days. It downloaded a file that's 1kb big on my PC. What should I do? I'm afraid to use my PC again.
1
vote
0
answers
106
views
There is a difference between malware detection using automata and family behavior graph?
Is there a difference between dynamic malware detection using automata and family behavior - graph?
I think that they are both relying on API function calls but I don't understand if there is any ...
0
votes
0
answers
32
views
How to remove a very stealthy virus? [duplicate]
I have a virus on my laptop preventing me from installing antivirus, or updating windows or even opening task manager.
i tried running a virus scanner from a portable scanners, the virus disappears ...
2
votes
1
answer
2k
views
How safe is ePSXe?
For the last few weeks, my roommate dove back into his childhood by playing his old PS1 games with an emulator I set up for him : ePSXe 2.0.5 for Windows.
A few days ago, he came back to me saying ...
0
votes
0
answers
188
views
Identify SSL invalid handshake using Wireshark
I am doing a research on "Network flow anomaly detection" and use Wireshark for my work. I have a problem of identifying the packets with invalid SSL/TLS handshakes. Is there a way/algorithm to detect ...
4
votes
2
answers
2k
views
Datasets dedicated for SIEM systems [closed]
I am looking for data sets published by researchers or freelancers which can be used for the purpose of SIEM testing and evaluations. The goal is to test the classification (and later correlation) for ...
1
vote
3
answers
3k
views
Svchost without name 50%cpu using and can't access to "Service tab"
I have recently downloaded a trash software (even if normally I do not), and just after done an update of windows 10. After this when I was booting my computer my ventirad (I guess) was running faster ...
2
votes
0
answers
94
views
How to make a succesful mimicry attack when normal clusters are very small?
Anomaly detection IDS, sometimes, are designed to prevent mimicry attacks.
After the algorithm has done the clustering, there might be few and small clusters. The attacker will have problems with ...
0
votes
2
answers
899
views
What do you call an antivirus that detects suspicious activity?
A traditional antivirus scans data at rest and data in transit for known virus signatures. (Where "virus" includes trojans, rootkits, et al.)
This does not help when defending against zero-days and ...