RE: Anomaly Based Network IDS

["Drew Copley" <dcopley () eEye com>]

> -----Original Message-----
> From: Barry Fitzgerald [mailto:bkfsec () sdf lonestar org] 
> Sent: Wednesday, June 23, 2004 11:02 AM
> To: Drew Copley
> Cc: Wozny, Scott (US - New York); 
> focus-ids () securityfocus com; secdistlist () dauncey net
> Subject: Re: Anomaly Based Network IDS
>
> Drew Copley wrote:
<snip>

> I attribute Anomoly based IDS systems to be specialized network 
> profiling.  What you're looking for, in that case, is 
> changes/anomolies 
> in the traffic/protocol.  If a 0-day drastically changes the 
> nature of 
> network traffic, then the anomoly based IDS *should* pick it up.  
> Knowing this, and taking into account that most new exploits 
> exist for 
> some period of time in the "elite" corners of the black hat 
> realm before 
> ever reaching the skript kiddies, I'm going to go out on a limb and 
> state that it's far less likely that a real 0-day will ever generate 
> significantly abundant anomolies in the network traffic, in 
> particular 
> if it's designed well and if the attacker is careful about how they 
> carry out their attack.

Being very familiar with the underground for a very long time...

You are entirely right, and this was what really raised my alarm.

For most administrators, I do not see much concern here. They are
not high level targets. There is no big money there, there is no
potential fame there. (With fame much less of a plausible motive
for serious hackers, and money much more of a plausible motive as
the days go by...)

For a worm zero day, yes, there probably will be alarms raised. But,
the AV companies will know about it before you, anyway. So, it is
not much of a concern. But, if someone is singling out target systems,
someone is plying their way through your network with zero day? You
would not notice this with this kind of detection agent.

For everyday worms and hackers? Yes, absolutely.

It is true that some of the more ingenius attacks out there have
had essential, stupid flaws. The criminal does one or two things
right, but he only needs to make one mistake. 

A couple of notes: There are not very many such criminals out there.
Your everyday script kiddy will not be using zero day anyday soon. Not
that it is not possible, but merely because if a script kiddy is
using it -- everyone else already knows about it. 

I won't lie, there is huge money being seen out there in the wild. But,
unless you are a media outlet, a human rights organization, a financial
institution, or a government... you are unlikely to see any such
attacks. And, when they do happen, you will need a lot of tripwires
in place to see them.

This means if you want tripwires, you need trips. Stealthing
one's attack is pretty trivial and a drop in the bucket. Rigging
and hiding the potential target data is much more valuable in these
scenarios. 

On anomaly detection, again, I have worked on such projects and
do work on such projects and I really like the possibilities. I really
like some of the products out there, as companion products, to
existing security solutions. The future is bright... and it is
definitely an intellectually challenging and stimulating area.


> Consider this point to be exacerbated as anomoly based IDS' 
> become more 
> common and as black hats change their style in order to evade them.
>
> What they would be very good at is at picking up new worms and blind 
> scanners - but that's a far cry from a 0-day, unless the attacker 
> decides to use their 0-day on a worm - in which case they're wasting 
> their "golden key".
>
> Anomoly detection is just another tool that can be used to learn more 
> about your network, no more,  no less... and not a single one 
> of those 
> tools is magic, but they all have a use to those deploying 
> them.  Just 
> make sure you know what you're deploying.  In my experience, 
> relying on 
> marketing material works against that goal.  :)
>
>                 -Barry

---------------------------------------------------------------------------

---------------------------------------------------------------------------