IDS mailing list archives
RE: NIPS Vendors explicit answer
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Thu, 8 Apr 2004 11:55:11 -0700
I'm interested in hearing the responses to this as well but wanted to point out one issue in your initial paragraph. See inline comments. toby
-----Original Message----- From: christian graf [mailto:chr.graf () gmx de] Sent: Wednesday, April 07, 2004 7:07 AM To: focus-ids Subject: NIPS Vendors explicit answer Hi all, there are many "imaginable" ways for a NIPS to detect traffic, which should be blocked. Patternbased, data-mining-methods (to even guess into encrypted traffic - see http://www.phrack.org/show.php?p=61&a=9 , RFC-anomaly, protocol-based anolmaly (layer 4 flows, new listening services, new protocols,..), statistical methods, ... Those methods will most-likely combined with neuronal-networks, back-propagation-networks, state-machines and at least with some voodoo called heuristic.
Actually, this is one of the key issues for something that is claiming to do "intrusion prevention" and not just doing inline IDS. To do "intrusion prevention" via network traffic, you can't have decisions that are made after the connection is done. In fact for the most part the decisions must be made as quickly as possible. That removes data-mining as an option, it also potentially removes the more complex methods you mention like neural networks (though there are so many things that could mean that debating it doesn't do much good). Traffic analysis is equally problematic (especially if you want any sort of accuracy). toby --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- NIPS Vendors explicit answer christian graf (Apr 08)
- Re: NIPS Vendors explicit answer christian graf (Apr 19)
- <Possible follow-ups>
- RE: NIPS Vendors explicit answer Kohlenberg, Toby (Apr 12)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 26)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- Message not available
- Re: NIPS Vendors explicit answer Frank Knobbe (Apr 27)
- Re: NIPS Vendors explicit answer Vikram Phatak (Apr 27)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 28)
- RE: NIPS Vendors explicit answer Frank Knobbe (Apr 30)
- RE: NIPS Vendors explicit answer Rob Shein (Apr 30)
- Re: NIPS Vendors explicit answer Ron Gula (Apr 26)