Problems

• Data set size

  • Logging and auditing traffic from a few minutes, hours, or days can be intensive. Spread this out to weeks and the problem becomes very difficult.
    • Some attackers are using this approach to avoid detection

• Speed

  • Packet header matching is fairly straight forward. Content analysis and searching more difficult. Coordinating these with rules, historic information about that port/protocol/src host/dst host and other information is even more difficult. And doing all of this in some sort of real-time sense is the most difficult of all.

Previous slide

Next slide

Back to first slide

View graphic version