Re: IDS thoughts

["Stefano Zanero" <stefano.zanero () ieee org>]

> There's really not a whole lot else to be done in the IDS market except
> product improvements (code refinement,etc), signature maintenance, and
> keeping up with data rates. Oh, and press releases.

You are joking, right ? There's a whole lot of research still open in the
IDS field. Just to begin, you are apparently forgetting that there's a whole
paradigm of ID, anomaly-based detection, which has just been forgotten by
the mainstream development.

In the next few years, while established IDS products will strive to keep up
to date their growing signature base, and face increasing performance
problems, probably some attention will be returned at that preliminary
choice of matching bad_things instead of good_ones.

When it comes to firewalling, we all agree: you just shut down everything
very tight, then open up what few ports you actually need. When it comes to
privileges and authentication, we do the same thing, and we are quick to
point out the error when someone tries to filter out unwanted input, instead
than specifying what is the expected one.

Oddly, when we talk about IDS and antivirus software, we blindly accept that
there's only one way to do it: by describing what we do NOT want on our
system by the mean of signature. Well, this happens to be a BAD idea, even
if until now it has given us some satisfactions.

Stefano Zanero


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------