IDS mailing list archives
RE: Network hardware IPS
From: Dave Killion <Dkillion () netscreen com>
Date: Mon, 6 Oct 2003 15:01:19 -0700
Stefano, Perhaps I may have misunderstood some of your points, but the fact remains that I can decrease FP without affecting DR, something that you said wasn't possible:
Do you notice something ? You _CAN_ reduce by any factor (92%, 95%, 99.9999%) the FP rate - but you WILL, always, without doubt, pay a
price in
detection rate terms.
My examples were to point out the fact that DR is not directly related to FP - and that you *not* ALWAYS have a decrease in DR when reducing FP. Real world example: If I see "cmd.exe" in a URL, I will, every time, detect a malicious act. But if I'm not looking for it, and instead am looking for the path, say "windows/system32", I'm going to get both false positives and false negatives. Or if I'm looking for "cmd.exe" in a port 80 stream, I'll get perfect DR but bad FP. Fragments vs. packets vs. stream - you need to see it as the victim would. Encoding attacks, fragment overlap attacks, etc - all come out in the wash if you parse it the same as the victim. Once put within that perspective, attack detection becomes relatively straightforward. Polymorphic attacks are very interesting and all, but when it comes down to it, they are a very small minority. In order to exploit the new DCOM vulnerability, you need to open a REMACT binding. This is hard-coded and can't be morphed. There's a variety, but still finite number of ways to make an x86 No-Op slide. It's about accuracy and context = quality. You *can* reduce FP without impacting DR. If I didn't believe that, I'd not have a job. -Dave
Attachment:
smime.p7s
Description:
Current thread:
- Re: Network hardware IPS, (continued)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)