IDS mailing list archives
Re: Anomaly Based Network IDS
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 23 Jun 2004 14:01:33 -0400
Drew Copley wrote:
There are several chances to "find" zero day. This is not a semantical issue, at all. It is a very critical issue.If people are clutching to smoke and mirrors, they will find themselves in deep water when the ship is sinking. To continue with the analogy.
<snip>
You are right, there is some wild hope, and the technology is advancing. Heuristic type technology is surely not limited to the network, AV companies have been researching here for years... as is clearly shown with some patent searches. People should remember that while this technology has potential and even some real world usage that it is not a "different planet" removed from signature technology in the first place... there will always be a required "learned" data set from which to deal with "unknown data" so as to make a qualitative comparison... In one scenario, you have a more flexible situation, with end users training thesystem individually to their own network... in another, you have a more generic system with end researchers training the data in the form of writing signatures.
I think that we can boil this whole thing down to one very generalized point:
Those who know the lay of the land better, will have a better time defending it.
That applies to network traffic profiling, host intrusion detection, host engineering, network layout, and system sizing and design. The general rule being the more you know, the better off you are. But, the problem with that being that there's so much to know, that it's impossible to know enough and be able to analyze it by yourself.
Enter IDS/IPS systems.No matter how many false positives you get, you're still processing less data than if you were to take a sniffer to the network and analyze one packet at a time by hand. In this way, both signature and anomoly based IDS systems have a place in the infrastructure. I think that the missing variable in this conversation regarding whether anomoly based IDS systems can detect 0-day attacks is a discussion of what type of attacks are they most likely to detect.
I attribute Anomoly based IDS systems to be specialized network profiling. What you're looking for, in that case, is changes/anomolies in the traffic/protocol. If a 0-day drastically changes the nature of network traffic, then the anomoly based IDS *should* pick it up. Knowing this, and taking into account that most new exploits exist for some period of time in the "elite" corners of the black hat realm before ever reaching the skript kiddies, I'm going to go out on a limb and state that it's far less likely that a real 0-day will ever generate significantly abundant anomolies in the network traffic, in particular if it's designed well and if the attacker is careful about how they carry out their attack.
Consider this point to be exacerbated as anomoly based IDS' become more common and as black hats change their style in order to evade them.
What they would be very good at is at picking up new worms and blind scanners - but that's a far cry from a 0-day, unless the attacker decides to use their 0-day on a worm - in which case they're wasting their "golden key".
Anomoly detection is just another tool that can be used to learn more about your network, no more, no less... and not a single one of those tools is magic, but they all have a use to those deploying them. Just make sure you know what you're deploying. In my experience, relying on marketing material works against that goal. :)
-Barry --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Anomaly Based Network IDS, (continued)
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)
- Re: Anomaly Based Network IDS Jose Nazario (Jun 22)
- RE: Anomaly Based Network IDS Shafi, Shahid (Jun 22)
- RE: Anomaly Based Network IDS Joshua Berry (Jun 22)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
- Re: Anomaly Based Network IDS Ramoni (Jun 24)
- RE: Anomaly Based Network IDS christian graf (Jun 24)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- RE: Anomaly Based Network IDS Drew Copley (Jun 24)
- Re: Anomaly Based Network IDS Drew Simonis (Jun 24)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 25)
- RE: Anomaly Based Network IDS Drew Copley (Jun 25)
- Re: Anomaly Based Network IDS Bharat Bhushan (Jun 25)
- Re: Anomaly Based Network IDS Thiago dos Santos Guzella (Jun 29)
(Thread continues...)
- Re: Anomaly Based Network IDS Drew Simonis (Jun 18)