Firewall Wizards mailing list archives

RE: Intrusion Prevention Firewall

From: dont <dont () csds uidaho edu>
Date: Mon, 1 Apr 2002 21:15:07 -0800 (PST)

On Mon, 18 Mar 2002, Pieper, Rodney wrote:

The IDS field is not currently 'mature' enough for automating reacting. We
need predictive IDS not reactive.


Here, I think, is the most interesting response to the whole issue of
intrusion detection, which is a near and dear topic to me since I have the
fantasy of actually completing my PhD in this area within the next year.

The term itself was coined, I believe in 1980, and the field has
progressed little since the 80's, patially because it is a moving target.
This discussion itself has shown part of the reason why:  the lack of
clarity of what the term actually encompasses.  I separate the whole issue
of intrusion response from the problem of actually detecting it.

Trying to solve this Holy Grail (for me anyway) will require a more
complete understanding of what is truly happening on the targets during an
intrusion, and not just the simplistic methods used now.  At some point,
someone needs to invest the time and energy to do a complete study (Diego
Z.'s PhD last year was a real good start from the *nix side).  My fantasy
is to be able to detect the intrusion as it is happening, but that
requires not only seeing what is happening through the crapload of data
available, but knowing a priori that a particular subsequence is "bad".  I
have some ideas, but honestly, like most of the research I have studied
in the past several years, I may not be able to validate much without a
real data set.  And one is simply not available.  That can be someone
else's PhD!  :-)

Regretably, the push for immediate results from both government and
industry has probably hurt any real scientific analysis to truly
understand all the phenomena involved.  Heck, we do not even really
understand all the data sources to use while trying to do a detection.
(MJR on another list talked about the entire log structure being a problem
if I recall)

So, nice topic started here on FW-wiz!  :-)

don tobin
CSDS, Univ of Idaho

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Intrusion Prevention Firewall Crispin Cowan (Mar 31)
- <Possible follow-ups>
- RE: Intrusion Prevention Firewall dont (Apr 02)
  - Re: Intrusion Prevention Firewall Crispin Cowan (Apr 03)
    - Re: Intrusion Prevention Firewall Gary Flynn (Apr 03)
    - RE: Intrusion Prevention Firewall Berny Stapleton (Sydney Technology) (Apr 12)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 16)
    - Re: Intrusion Prevention Firewall Mikael Olsson (Apr 16)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 16)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 17)
    - RE: Intrusion Prevention Firewall Dave Piscitello (Apr 17)
    - RE: Intrusion Prevention Firewall R. DuFresne (Apr 18)
    - RE: Intrusion Prevention Firewall Mike Shaw (Apr 17)

(Thread continues...)