IDS mailing list archives
Re: A Network IPS Proposal (was Definition of Zero Day Protection)
From: Shaiful <shaifuljahari () yahoo com>
Date: Mon, 16 Aug 2004 17:01:31 -0700 (PDT)
Hi, What I meant with similar pattern is that similar "exploit pattern" for a particular worm variance. For example Code Red 1 & 2 share similar "exploit pattern". The same can be said about Sasser. It is similar because it's same worm variance or mutation. I give a very simple analogy. If you want to visit my country, you're required to have 'malaria injection'. What it is actually is a weaken bacteria that help your immune system develop a protection against the more potent similar bacteria if you happen to get infected. This is similar pattern in the real world. Even the best protection system in the world cannot predict the future ;-) The other way to look at this, is that we have to look at virus/worm life cycle. After the release moment (zero day?), the virus/worm will spread over the network or Internet. Then it will reach its peak and it'll dies just when all the machines on the Internet are all upgraded. If somebody wrote another worm variance, using the same exploit pattern, the epidemic can be lessen to great extent. OK, I did mentioned about Honeycomb, how this 3rd party trap and signature generator can help a lot. First of all just to note that I have nothing against the snort guys... world is going to be better place if most of the people are like them. But why we need people to write snort signature? Can this exercise be automated? We have a whole book written dedicated to write intrusion signature! Although we have expert who can write the signature it is not that effective as noted by Paul Graham in his popular article "A Plan for A Spam". He did mentioned the advantages of using machine learning rather than human to write the spam rules. To sum things up, we need some kind of network IPS system to automatically protect our network that can response within seconds/minutes for worm and its variance. Of course we cannot predict the future by predicting what kind of worms that coming up next, but for sure the 1st generation of worm can provide us with enough information that makes the subsequence worm variances to be useless at best. I'll call this "Similar Pattern Worm Mutation Prevention System". Regards, Shaiful, Universiti Putra Malaysia. --- Johnny Calhoun <jcalhoun () lurhq com> wrote:
On Thursday 12 August 2004 20:35, Shaiful wrote:similar patternHow do you define "similar pattern"? Detecting similar patterns/signatures is trivial if the signature is known in advance, but how do you know if something is "similar" before it even happens? And if it is KNOWN then it probably already has a signature right? Anomaly based Intrusion Detection/Prevention is very complex, much more complex than just trapping traffic and predicting similar patterns. -- Johnny Calhoun, GCIA Information Security Analyst LURHQ 843-903-4376 opt2 jcalhoun () lurhq com
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail
Current thread:
- Re: Definition of Zero Day Protection, (continued)
- Re: Definition of Zero Day Protection Devdas Bhagat (Aug 13)
- RE: Definition of Zero Day Protection Fulp, J.D. USA (Aug 09)
- RE: Definition of Zero Day Protection Joshua Berry (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Drew Copley (Aug 10)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Johnny Calhoun (Aug 16)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Stefano Zanero (Aug 17)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 17)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- RE: Definition of Zero Day Protection Drew Simonis (Aug 10)
- Re: Definition of Zero Day Protection Stefano Zanero (Aug 11)
- Re: Definition of Zero Day Protection hidsbr (Aug 10)
- RE: Definition of Zero Day Protection Joseph Hamm (Aug 11)