Firewall Wizards mailing list archives
Re: Intrusion Detection
From: tqbf () secnet com
Date: Tue, 14 Apr 1998 16:34:04 -0500 (CDT)
There are 2 basic categories of IDS (though I am beginning to believe there is a 3rd): Anomaly Detection and Misuse Detection. The AD-IDS approach is to try to "understand" what constitutes normal traffic for the network, and look for things that aren't "normal." The MD-IDS
Be careful that you don't limit consideration of intrusion detection to network traffic. While the bulk of the deployed systems are probably all network-based, the bulk of the systems that have been developed are not. There are lots of interesting prototypes that examine specifically the actions of a user on a single system, using audit trail information.
in its simple form is fairly limited and easy to get around. What they neglected to mention is that MD-IDS will catch a lot of the "ankle biter" hackers until they get better tools or learn what
... well, we thought it was implied. =)
What can the various IDS detect? In theory, an AD-IDS will detect anything and everything. Of course, while it is doing so, it will generate high numbers of false alarms. In Theory an MD-IDS will
I don't know that I agree with this. One of the basic flaws of "AD-IDS" is that not every attack involves "anomalous" transactions (of course this depends on the model you use to classify anomalies, which I guess is one of the tricky aspects of AD-IDS). A related issue is the fact that systems that "learn" to detect attacks can also "learn" to tolerate them. As a concrete example, there is IDS literature that, in discussing a methodology for building anomaly detection systems, suggests that a good plan is to run down all the aspects of your {system,network,...} that you can quantify, and specific things to monitor that they came up with included things like network traffic levels. I suspect the minority of known attacks would cause unusual amounts of network traffic. I guess the point here is that AD versus MD is not a black-and-white issue of completeness versus accuracy. (Not that this is what I think you're saying). ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Paul D. Robertson (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)