Firewall Wizards mailing list archives

Re: Intrusion Detection

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Tue, 14 Apr 1998 09:22:24 -0400

   Hi,   What are the kind of Intrusions an Intrusion Detection  software
can detect? What all it cannot?


Most of the IDS out there can detect a set of known attacks. The
attacks tend to be denial of service or exploits -- either attempts
to break in or attempts to disable the system.

There are 2 basic categories of IDS (though I am beginning to believe
there is a 3rd): Anomaly Detection and Misuse Detection. The AD-IDS
approach is to try to "understand" what constitutes normal traffic
for the network, and look for things that aren't "normal." The MD-IDS
approach is to know about a variety of attacks and look for them in
progress. Most of the research on IDS is AD-IDS, while most of the
products are MD-IDS. There are a couple of reasons for this:
1) MD-IDS are easier to implement -- the tricky part in an MD-IDS is
        having the "knowledge base" of hacking techniques that you can
        code into your MD engine.
2) MD-IDS are easier to explain (and demo) to a customer -- they will,
        when set up, immediately begin to work, with no need to "train"
        them or establish a baseline.
3) MD-IDS are more marketable -- like with a virus scanning system
        (which is kind of what they are) you can sell your customer
        signature sets
4) MD-IDS are easier to quantify -- you can tell your customer "It
        detects 250 attacks" instead of "it detects weird stuff."

SNI recently did a paper which pretty seriously questioned simple
network-oriented MD-IDS. They're correct that the MD-IDS approach
in its simple form is fairly limited and easy to get around. What
they neglected to mention is that MD-IDS will catch a lot of the
"ankle biter" hackers until they get better tools or learn what
they are doing. So there may be some value, there.

What can the various IDS detect? In theory, an AD-IDS will detect
anything and everything. Of course, while it is doing so, it will
generate high numbers of false alarms. In Theory an MD-IDS will
detect anything that the designers of the MD-IDS know about. Of
course, it won't detect the new attack which is being used on
you right now, which the IDS designers don't know about. Eventually
there will be some kind of system with merged AD/MD logic, would
be my guess.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
  - Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
  - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Paul D. Robertson (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)

(Thread continues...)