IDS mailing list archives
RE: Network hardware IPS
From: david maynor <david.maynor () oit gatech edu>
Date: Tue, 07 Oct 2003 13:16:49 -0400
That is a nice example, but it hardly ever works like that. How about you detect a worm that generates a lot of syns with a window size of 41425? You can write a sig that is dead on accurate but still detect many false positives. You can't expect every attack to have "written_by_phc" as a string in a packet. On Mon, 2003-10-06 at 16:03, Dave Killion wrote:
Stefano, I hate Marketing spin as much as the next engineer, but with respect, I disagree here entirely. False Positive reduction has nothing to do with Detection Rate. Reducing False Positives has everything to do with accuracy and context. Hypothetical Example: A hostile attack looks like "LeetAttack 1.0" - this is the actual, valid attack string. But say this string is only hostile if sent as the User Agent in an HTTP connection. Maybe it's a backdoor coded by the webserver author, etc whatever. IDS System A has a signature to detect this attack. They look for "1.0" anywhere in an HTTP stream. Do they detect the attack? Yes. How many false positives - that is, triggers on this signature that are not valid attacks - you think they'll get? I'd say quite a bit. So, Detection = 100%, FP ~ 60-99%. IDS System B also has a signature to detect this attack. They look for "1.0", but they are advanced and have a context matching system that allows them to look only at certain fields within the HTTP stream, one of which is the User Agent. So they put "1.0" in the User Agent context. Do they detect the attack? Yes. How's their false positive rate? Lower than System A, I'd wager, but there's still some there. Do they detect the attack any less than System A? No = both systems would always detect every attack. Detection = 100%, FP ~ 30-50% - No decrease in detection, but half the FP's. IDS System C also has a signature to detect this attack. They have the User Agent context as well, and they put "LeetAttack 1.0" as the detection string. Do they detect the attack? You bet - 100%. Do they have False Positives? No - unless someone was stupid enough to make a valid web browser with that string as the User Agent. And you'd have to wonder at their motivations if they did. Detection = 100%, FP = 0% - No decrease in detection, but infinitely less FP's. Obviously, the real world isn't as cut and dry as this example, but the principles are the same - find something unique to the attack, go for root cause, and get the context as specific as possible. You will maximize detection while minimizing false positives. I hope this information is helpful, Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. This email contains material that is confidential. The content of this email is for the sole use of the intended recipient(s). Any review or distribution by persons other than the intended recipient(s) without the express permission of NetScreen Technologies, Inc. is strictly prohibited. If you are not the intended recipient, please contact the sender and delete/destroy all copies of this email and any related attachments. NetScreen does not guarantee the accuracy or completeness of third party materials or information.
--------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Re: Network hardware IPS, (continued)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)