Re: IDS thoughts

[Thomas H.Ptacek <tqbf () pobox com>]

> I haven't seen any sound theory on dynamically learning the "norm" of a
> network that learns more than connection/flow patterns.  I would 
> dispute
> the utility of an IDS that couldn't tell me that the CEO's laptop was
[ ... elided unfairly ]

"Anomaly detection" isn't an architecture or implementation. It's no 
more "rate over time, cross host cross protocol" than it is "validate 
against RFCs". Anomaly detection is the philosophy of design that says 
that we can find interesting events by looking for deviations from the 
norm. We need to be careful about pigeonholing the entire philosophy 
--- which is going to be fertile ground for research and development in 
the coming years --- into the box that sits on your DMZ and tries to 
spit out alerts about hacker attacks.

I'm trying to coin the term "model-driven" as a replacement for 
"anomaly-based" when discussing this stuff. "Model-driven" connotes the 
fact that there are different threat models, and therefore different 
logical models, involved in addressing the total network security 
challenge. In this context, it matters much less that a given approach 
is "anomaly-driven", and much more _which model_ is being used.
This is a question I think people should ask of anyone trying to sell 
an "anomaly detection" system.

There seems to be a low-intensity, largely specious argument occurring 
over whether "anomaly detection" is the answer to the "problems" of 
signature detection. I try not to involve myself in this. I see 
signature detection systems as a coherent response to the scripted 
attack threat that Internet perimeters face. The basic nature of a flow 
modeling system lends itself towards a certain set of threats: they 
aren't grepping payloads for strings. The basic nature of a signature 
system lends itself towards a different set of threats: it's hard to 
write the signature that says "web consultants shouldn't talk to the 
payroll server".

The real fallacy here (and I'm not saying it's in your argument) is the 
idea that one system is going to address the whole network security 
policy --- at least, any time soon. This attitude has some 
organizations trying to solve internal security problems by monitoring 
for RPC vulnerabilities, while ignoring the innocuous-looking 
transactions occurring between a secretary and the CVS server. It also 
has highly simplistic statistical systems trying to sub for detailed 
signatures at the network perimeter. Let's agree that this is not 
optimal.

Since you bring it up, let's quickly address the point that "anomaly 
detection vendors are correlating signature alerts with their own 
alerts". Independent of whether implementation, model, and approach are 
calibrated with the threat they're deployed against, correlation is 
something that is going to happen. It's less a function of how 
interesting the combination of the two alert streams are, and more a 
function of the combination of the signature alert stream and the 
underlying anomaly _model_. Models mine interesting things out of 
networks. That's just what models do. This is less an issue of 
"hybridization" and more a recognition that computer science has value 
across the board in solving security issues.

---
Thomas H. Ptacek // Product Manager @ Arbor Networks
(734) 821-1432


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------