RE: Network hardware IPS

[david maynor <david.maynor () oit gatech edu>]

That is a nice example, but it hardly ever works like that. How about
you detect a worm that generates a lot of syns with a window size of
41425? You can write a sig that is dead on accurate but still detect
many false positives. You can't expect every attack to have
"written_by_phc" as a string in a packet.

On Mon, 2003-10-06 at 16:03, Dave Killion wrote:
> Stefano,
>
> I hate Marketing spin as much as the next engineer, but with respect, I
> disagree here entirely.
>
> False Positive reduction has nothing to do with Detection Rate.
> Reducing False Positives has everything to do with accuracy and context.
>
>
> Hypothetical Example:
>
> A hostile attack looks like "LeetAttack 1.0" - this is the actual, valid
> attack string.  But say this string is only hostile if sent as the User
> Agent in an HTTP connection.  Maybe it's a backdoor coded by the
> webserver author, etc whatever.
>
> IDS System A has a signature to detect this attack.  They look for "1.0"
> anywhere in an HTTP stream.  Do they detect the attack?  Yes.  How many
> false positives - that is, triggers on this signature that are not valid
> attacks - you think they'll get?  I'd say quite a bit.  So, Detection =
> 100%, FP ~ 60-99%.
>
> IDS System B also has a signature to detect this attack.  They look for
> "1.0", but they are advanced and have a context matching system that
> allows them to look only at certain fields within the HTTP stream, one
> of which is the User Agent.  So they put "1.0" in the User Agent
> context.  Do they detect the attack?  Yes.  How's their false positive
> rate?  Lower than System A, I'd wager, but there's still some there.  Do
> they detect the attack any less than System A?  No = both systems would
> always detect every attack.  Detection = 100%, FP ~ 30-50% - No decrease
> in detection, but half the FP's.
>
> IDS System C also has a signature to detect this attack.  They have the
> User Agent context as well, and they put "LeetAttack 1.0" as the
> detection string.  Do they detect the attack?  You bet - 100%.  Do they
> have False Positives?  No - unless someone was stupid enough to make a
> valid web browser with that string as the User Agent.  And you'd have to
> wonder at their motivations if they did.  Detection = 100%, FP = 0% - No
> decrease in detection, but infinitely less FP's.
>
>
> Obviously, the real world isn't as cut and dry as this example, but the
> principles are the same - find something unique to the attack, go for
> root cause, and get the context as specific as possible.  You will
> maximize detection while minimizing false positives.  
>
> I hope this information is helpful, 
>
> Dave Killion 
> Senior Security Engineer 
> Security Group, NetScreen Technologies, Inc.
>
>  
>
> This email contains material that is confidential.  The content of this
> email is for the sole use of the intended recipient(s).  Any review or
> distribution by persons other than the intended recipient(s) without the
> express permission of NetScreen Technologies, Inc. is strictly
> prohibited.  If you are not the intended recipient, please contact the
> sender and delete/destroy all copies of this email and any related
> attachments.  NetScreen does not guarantee the accuracy or completeness
> of third party materials or information.



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------