RE: Network hardware IPS

[Dave Killion <Dkillion () netscreen com>]

Stefano,

Perhaps I may have misunderstood some of your points, but the fact
remains that I can decrease FP without affecting DR, something that you
said wasn't possible:

> Do you notice something ? You _CAN_ reduce by any factor (92%, 95%,
> 99.9999%) the FP rate - but you WILL, always, without doubt, pay a
price in
> detection rate terms.

My examples were to point out the fact that DR is not directly related
to FP - and that you *not* ALWAYS have a decrease in DR when reducing
FP.  

Real world example: If I see "cmd.exe" in a URL, I will, every time,
detect a malicious act.  But if I'm not looking for it, and instead am
looking for the path, say "windows/system32", I'm going to get both
false positives and false negatives.  Or if I'm looking for "cmd.exe" in
a port 80 stream, I'll get perfect DR but bad FP.

Fragments vs. packets vs. stream - you need to see it as the victim
would.  Encoding attacks, fragment overlap attacks, etc - all come out
in the wash if you parse it the same as the victim.  Once put within
that perspective, attack detection becomes relatively straightforward.

Polymorphic attacks are very interesting and all, but when it comes down
to it, they are a very small minority.  In order to exploit the new DCOM
vulnerability, you need to open a REMACT binding.  This is hard-coded
and can't be morphed.  There's a variety, but still finite number of
ways to make an x86 No-Op slide.  

It's about accuracy and context = quality.  You *can* reduce FP without
impacting DR.  If I didn't believe that, I'd not have a job.

-Dave

Attachment: smime.p7s
Description: