Re: Measured Features for Detecting Attacks
simon <Simon.SCh.email@example.com> wrote:
> Hi, I find that many network attacks can be detected by measuring one
> single feature. For example, the SYN Flood can be detected by counting
> the number of SYN packets sent to a destination address. The measured
> feature is the number of SYN packets.
> Is there an attack that should be detected by at least two features?
> Can anyone give me an example and the relevant features?
You should be more accurate as to what a "feature" is, but I can give
you two examples of attacks, which require measuring as many features as
1. Man in the middle (MITM) attack: A perfect MITM attack against a
non-authenticated cryptosystem is impossible to detect. All features
you measure only give evidences.
2. Side channel attack: In an ideal case for the attacker, a side
channel attack is impossible to detect. All features you measure only