Besides all the work, the good news is that we will present an interesting paper on combining anomaly detection and intrusion prevention at the European Conference on Computer Network Defense (EC2ND). Here is the abstract from our contribution:
In this paper we propose an intrusion prevention system (IPS) which operates inline and is capable to detect unknown attacks using anomaly detection methods. Incorporated in the framework of a packet filter each incoming packet is analyzed and—according to an internal connection state and a computed anomaly score—either delivered to the production system, redirected to a special hardened system or logged to a network sink for later analysis. Run-time measurements of an actual implementation prove that the performance overhead of the system is sufficient for inline processing. Accuracy measurements on real network data yield improvements especially in the number of false positives, which are reduced by a factor of five compared to a plain anomaly detector.
An Architecture for Inline Anomaly Detection. Tammo Krueger, Christian Gehl, Konrad Rieck and Pavel Laskov. Proc. of European Conference on Computer Network Defense (EC2ND), December 2008.