Measured Features for Detecting Attacks

[simon]

Hi, I find that many network attacks can be detected by measuring one
single feature. For example, the SYN Flood can be detected by counting
the number of SYN packets sent to a destination address. The measured
feature is the number of SYN packets.

Is there an attack that should be detected by at least two features?
Can anyone give me an example and the relevant features?

Thanks a lot!

Simon

[Ertugrul =?UTF-8?B?U8O2eWxlbWV6?=]

simon <Simon.SCh.000@gmail.com> wrote:

> Hi, I find that many network attacks can be detected by measuring one
> single feature. For example, the SYN Flood can be detected by counting
> the number of SYN packets sent to a destination address. The measured
> feature is the number of SYN packets.
>
> Is there an attack that should be detected by at least two features?
> Can anyone give me an example and the relevant features?

You should be more accurate as to what a "feature" is, but I can give
you two examples of attacks, which require measuring as many features as
possible.

1. Man in the middle (MITM) attack: A perfect MITM attack against a
non-authenticated cryptosystem is impossible to detect. All features
you measure only give evidences.

2. Side channel attack: In an ideal case for the attacker, a side
channel attack is impossible to detect. All features you measure only
give evidences.


Greets,
Ertugrul.


--
http://ertes.de/