Re: Intrusion Detection

[tqbf () secnet com]

> There are 2 basic categories of IDS (though I am beginning to believe
> there is a 3rd): Anomaly Detection and Misuse Detection. The AD-IDS
> approach is to try to "understand" what constitutes normal traffic
> for the network, and look for things that aren't "normal." The MD-IDS

Be careful that you don't limit consideration of intrusion detection to
network traffic. While the bulk of the deployed systems are probably all
network-based, the bulk of the systems that have been developed are not.
There are lots of interesting prototypes that examine specifically the
actions of a user on a single system, using audit trail information. 

> in its simple form is fairly limited and easy to get around. What
> they neglected to mention is that MD-IDS will catch a lot of the
> "ankle biter" hackers until they get better tools or learn what

... well, we thought it was implied. =)

> What can the various IDS detect? In theory, an AD-IDS will detect
> anything and everything. Of course, while it is doing so, it will
> generate high numbers of false alarms. In Theory an MD-IDS will

I don't know that I agree with this. One of the basic flaws of "AD-IDS" is
that not every attack involves "anomalous" transactions (of course this
depends on the model you use to classify anomalies, which I guess is one
of the tricky aspects of AD-IDS). A related issue is the fact that systems
that "learn" to detect attacks can also "learn" to tolerate them. 

As a concrete example, there is IDS literature that, in discussing a
methodology for building anomaly detection systems, suggests that a good
plan is to run down all the aspects of your {system,network,...} that you
can quantify, and specific things to monitor that they came up with
included things like network traffic levels. I suspect the minority of
known attacks would cause unusual amounts of network traffic.

I guess the point here is that AD versus MD is not a black-and-white issue
of completeness versus accuracy. (Not that this is what I think you're
saying). 

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"