Firewall Wizards mailing list archives
RE: Intrusion Prevention Firewall
From: dont <dont () csds uidaho edu>
Date: Mon, 1 Apr 2002 21:15:07 -0800 (PST)
On Mon, 18 Mar 2002, Pieper, Rodney wrote:
The IDS field is not currently 'mature' enough for automating reacting. We need predictive IDS not reactive.
Here, I think, is the most interesting response to the whole issue of intrusion detection, which is a near and dear topic to me since I have the fantasy of actually completing my PhD in this area within the next year. The term itself was coined, I believe in 1980, and the field has progressed little since the 80's, patially because it is a moving target. This discussion itself has shown part of the reason why: the lack of clarity of what the term actually encompasses. I separate the whole issue of intrusion response from the problem of actually detecting it. Trying to solve this Holy Grail (for me anyway) will require a more complete understanding of what is truly happening on the targets during an intrusion, and not just the simplistic methods used now. At some point, someone needs to invest the time and energy to do a complete study (Diego Z.'s PhD last year was a real good start from the *nix side). My fantasy is to be able to detect the intrusion as it is happening, but that requires not only seeing what is happening through the crapload of data available, but knowing a priori that a particular subsequence is "bad". I have some ideas, but honestly, like most of the research I have studied in the past several years, I may not be able to validate much without a real data set. And one is simply not available. That can be someone else's PhD! :-) Regretably, the push for immediate results from both government and industry has probably hurt any real scientific analysis to truly understand all the phenomena involved. Heck, we do not even really understand all the data sources to use while trying to do a detection. (MJR on another list talked about the entire log structure being a problem if I recall) So, nice topic started here on FW-wiz! :-) don tobin CSDS, Univ of Idaho _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
- RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
- Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
- RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
- RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
- Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
- RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)