problems with my idea

• Still not a useful way for finding things like stolen passwords

• The variations in protocol implementations on the Net may mean that normal behavior will not exhibit self-similarity

• Might miss things that could be more reliably detected by a pattern-matcher -- but why not run Bro and SIS at the same time (contrived acronym: Segment Initiated Security)

• Probably a significant effort to build and characterize the system and I don’t have the time to do it :-)

Previous slide

Next slide

Back to first slide

View graphic version