IDS mailing list archives
Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Sat, 31 May 2003 23:29:33 +0200
The fact that most IDS products out there now look the same is based on
the
fact that most companies out there (or the people running them, to be more precise) know more about making money than designing new technologies.
Applause :-)
statistical-based IDS, ot anomaly-based IDS
Actually, they are not necessarily sinonyms, you know ? Anomaly based IDS could be, for instance, based on neural algorithms or other adaptive models.
could be beaten by flooding a network with "anomalous" traffic
Rather naive. If you have a product that does not "adapt", this is obviously not a problem (i.e., you deploy it, you train it, then you "lock" it). Letting an algorithm learn by itself and still not get fooled by a semantic drift (this it one of the current names for the effect you described) is not an easy task, but it can be accomplished by following a scheme such as this: - get the new data - check if the new data is "wrong", if it is, fire an alert and do NOT update - if the new data is not "wrong", update the model to fit a little better on the new data Obviously someone can still sneakily, bit by bit, subvert the training of the IDS. But it becomes a rather long attack ;-)
Being notified of events as they occur takes less time, as you only have to deal with the data presented at this time.
In the hope that you won't actually be alerted, say, three times every ten minutes...
So thinking about all that, I thought of designing a log-based IDS, or
LIDS
for acronym fans.
That's actually already used for Linux Intrusion Detection System kernel patches :) I will be looking at LogIDS: looks like a really nice work tough ! Stefano ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Stefano Zanero (Jun 02)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Roger A. Grimes (Jun 07)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Roger A. Grimes (Jun 07)
- <Possible follow-ups>
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Stefano Zanero (Jun 02)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Magnus Almgren (Jun 03)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (Jun 03)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Steven Rudolph (Jun 12)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 13)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Bill Royds (Jun 13)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] oudot laurent (Jun 17)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Devdas Bhagat (Jun 14)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Anton A. Chuvakin (Jun 17)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)