Statistical Packet Anomaly Detection Engine (SPADE) for Snort IDS

Every system has behaviour that can be classed as "normal", be it a river system, a car or a computer network. "Anomalies" are behaviours that can be considered as "not normal" - flood conditions in rivers, tyre punctures in cars and attempts at intrusion on a network.

Not being either particularly competent river or car analysts here, we are concentrating on the networks. The SPADE plugin for the Open Source Snort IDS system does just this - it creates a baseline of behaviour that is considered "normal" for a given network, and then is able to identify "anomalous" behaviour, things that don't normally happen - which can be indicative of a fault or deliberate attack - and alert you as required.

This project has lain dormant for a very long time, and Snort has moved on considerably since the last known working version. We are currently in the process of trying to get it up and running again with the latest editions of Snort. If you would like to be involved, or have suggestions for feature enhancements - please join up on the Forums.

The old versions are available for download from the Research pages, along with a paper on the use of SPADE.

Clients

  • JP Morgan Chase / 3COM
  • Institute of Cancer Research / Vodafone
  • HM Revenue and Customs / CIA Excel
  • Golden River Traffic / Microsoft
  • Science and Technology Facilities Council / Cable and Wireless
  • O'Reilly / Parkhill