IDS mailing list archives
Re: IDS thoughts
From: "Raistlin" <raistlin () gioco net>
Date: Mon, 26 May 2003 21:33:42 +0200
I excuse myself for out-of-order quotation, but I lost some messages on a disk crash:
Mike, enjoyed the thoughts below. It's also interesting to note, that Dr. Denning, who most consider the mother of Anomaly Detection (because of her 1985 paper on it) even concluded in her landmark paper that she didn't believe AD alone to be a viable, stand-alone ID model. Even back then she saw it as an adjunct model...which supports the whole hybrid, use-both-where-they-fit-best solutions.
This is pretty obvious to me, too: please excuse me if this wasn't clear in my first message :)
I don't think anyone has forgotten anomaly-based detection. Most players are taking a hybrid approach.
This is what they say, but beyond marketing hype and some small, limited attempt at portscan detection, there is nothing of the kind in production system. I welcome counter-examples of course !
Keeping up isn't as hard as you would think.
I hope so, but in your analysis you are forgetting memory requirements for stream reassembly, and a lot of complications beyond simple pattern matching ;)
Ok. I do both firewall development (OpenBSD) and IDS development (NFR). And they are totally different, dare I use a buzz word, paradigms.
Thanks God for that, but you completely missed my point. I was saying that misuse detection is like shutting down what you DON'T want (which is something we know that works only on a limited, case by case basis), and anomaly detection is like allowing only what you want. I was not implying that you can actually DO 100%, totally accurate anomaly detection, while you can sometimes define a totally tight policy for your firewall. By the way, paradigm is by no mean a "buzzword". It's a perfectly defined scientifical word, which has a meaning. If vendors keep using it for other things, that's not my fault :)
Thus you see many venders transitioning (have already done so) to doing anomaly detection where feasible, and "bad thing" detection when not.
I don't see the former, actually. Looking for pointers, if you can provide any :)
I'll make a standing offer, I will buy anyone a cookie that can describe their enterprise network usage adequately enough that would allow pure anomaly detction.
The point is not in using human knowledge for it. but trying to design systems that can actually build such a model automatically. Stefano ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Re: IDS thoughts, (continued)
- Re: IDS thoughts Stefano Zanero (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Ramani Yellapragada (May 20)
- Re: IDS thoughts Lance Spitzner (May 21)
- Re: IDS thoughts Stefano Zanero (May 27)
- Re: IDS thoughts Bill Royds (May 21)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Stefano Zanero (May 20)
- Re: IDS thoughts Roger A. Grimes (May 21)
- Re: IDS thoughts Raistlin (May 27)
- Random IDS Thoughts [WAS: Re: IDS thoughts] Greg Shipley (May 29)
- Message not available
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (May 30)