Re: A Network IPS Proposal (was Definition of Zero Day Protection)

[Shaiful <shaifuljahari () yahoo com>]

Hi,

What I meant with similar pattern is that similar
"exploit pattern" for a particular worm variance.  For
example Code Red 1 & 2 share similar "exploit
pattern".  The same can be said about Sasser. It is
similar because it's same worm variance or mutation.  

I give a very simple analogy.  If you want to visit my
country, you're required to have 'malaria injection'. 
What it is actually is a weaken bacteria that help
your immune system develop a protection against the
more potent similar bacteria if you happen to get
infected.  This is similar pattern in the real world. 
Even the best protection system in the world cannot
predict the future ;-)

The other way to look at this, is that we have to look
at virus/worm life cycle. After the release moment
(zero day?), the virus/worm will spread over the
network or Internet.  Then it will reach its peak and
it'll dies just when all the machines on the Internet
are all upgraded.  If somebody wrote another worm
variance, using the same exploit pattern, the epidemic
can be lessen to great extent.

OK, I did mentioned about Honeycomb, how this 3rd
party trap and signature generator can help a lot.
First of all just to note that I have nothing against
the snort guys... world is going to be better place if
most of the people are like  them.  But why we need
people to write snort signature?  Can this exercise be
automated? We have a whole book written dedicated to
write intrusion signature!  Although we have expert
who can write the signature it is not that effective
as noted by Paul Graham in his popular article "A Plan
for A Spam".  He did mentioned the advantages of using
machine learning rather than human to write the spam
rules.

To sum things up, we need some kind of network IPS
system to automatically protect our network that can
response within seconds/minutes for worm and its
variance. Of course we cannot predict the future by
predicting what kind of worms that coming up next, but
for sure the 1st generation of worm can provide us
with enough information that makes the subsequence
worm variances to be useless at best.

I'll call this "Similar Pattern Worm Mutation
Prevention System".

Regards, 
Shaiful,
Universiti Putra Malaysia.

--- Johnny Calhoun <jcalhoun () lurhq com> wrote:

> On Thursday 12 August 2004 20:35, Shaiful wrote:
> > similar pattern
>
> How do you define "similar pattern"?
> Detecting similar patterns/signatures is trivial if
> the signature is known in 
> advance, but how do you know if something is
> "similar" before it even 
> happens?
>
> And if it is KNOWN then it probably already has a
> signature right?
>
> Anomaly based Intrusion Detection/Prevention is very
> complex, much more 
> complex than just trapping traffic and predicting
> similar patterns.  
>
> -- 
> Johnny Calhoun, GCIA
> Information Security Analyst
> LURHQ
> 843-903-4376 opt2
> jcalhoun () lurhq com
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with
> real-world attacks from CORE
> IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
>



        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail