Open issues in intrusion management research?

[Marc Rennhard <rennhard () tik ee ethz ch>]

Hi,

I'm currently trying to identify open issues in the area of ID/IM research. I'm not so much interested in basic IDS 
research that focuses on topics such as performance issues or analysis techniques of "traditional" standalone IDSs, but 
more in combining IDSs with other IDSs or security technologies and using additional information about the systems to 
be protected to enhance their usefulness.

Looking at commercial products (they are usually called something like "intelligent intrusion management systems), most 
of them correlate events generated by IDSs with those from firewalls, virus scanners and the like, display the results 
on centralised management consoles, and claim to be easily manageable while keeping the false positives very low. In 
addition, some products make use of information about the hosts/network, using e.g. vulnerability scanners, to further 
optmise the results. Briefly, looking at product descriptions, one could think that these systems work very well and 
the typical problems of traditional IDSs (false positives, manageability, scalability) are solved.

On the other hand, if I look at the proceedings of recent conferences and workshop that include sessions about ID, it 
seems that all of the promises made by the vendors of commercial products are also (still) active areas of research, 
but the papers usually do not refer to these commercial products at all. As a result, I'm quite confused about how good 
the commercial products really are today, and what (if any) the really significant problems -- with regard of the 
collaboration of different security technologies -- are.

Any information, or pointers to such information, that could help to resolve my confusion would be highly appreciated.

And a final question: currently, intrusion management is usually decoupled from the actual business process/workflow. 
One promising research area could be tring to integrate these areas better. I haven't found anything on the Web that 
reports about attempts to do so; is anyone of you aware of such activities?

Thanks,
Marc

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------