IDS mailing list archives
RE: Anomaly Based Network IDS
From: "Drew Copley" <dcopley () eEye com>
Date: Wed, 23 Jun 2004 13:05:02 -0700
-----Original Message----- From: Barry Fitzgerald [mailto:bkfsec () sdf lonestar org] Sent: Wednesday, June 23, 2004 11:02 AM To: Drew Copley Cc: Wozny, Scott (US - New York); focus-ids () securityfocus com; secdistlist () dauncey net Subject: Re: Anomaly Based Network IDS Drew Copley wrote:
<snip>
I attribute Anomoly based IDS systems to be specialized network profiling. What you're looking for, in that case, is changes/anomolies in the traffic/protocol. If a 0-day drastically changes the nature of network traffic, then the anomoly based IDS *should* pick it up. Knowing this, and taking into account that most new exploits exist for some period of time in the "elite" corners of the black hat realm before ever reaching the skript kiddies, I'm going to go out on a limb and state that it's far less likely that a real 0-day will ever generate significantly abundant anomolies in the network traffic, in particular if it's designed well and if the attacker is careful about how they carry out their attack.
Being very familiar with the underground for a very long time... You are entirely right, and this was what really raised my alarm. For most administrators, I do not see much concern here. They are not high level targets. There is no big money there, there is no potential fame there. (With fame much less of a plausible motive for serious hackers, and money much more of a plausible motive as the days go by...) For a worm zero day, yes, there probably will be alarms raised. But, the AV companies will know about it before you, anyway. So, it is not much of a concern. But, if someone is singling out target systems, someone is plying their way through your network with zero day? You would not notice this with this kind of detection agent. For everyday worms and hackers? Yes, absolutely. It is true that some of the more ingenius attacks out there have had essential, stupid flaws. The criminal does one or two things right, but he only needs to make one mistake. A couple of notes: There are not very many such criminals out there. Your everyday script kiddy will not be using zero day anyday soon. Not that it is not possible, but merely because if a script kiddy is using it -- everyone else already knows about it. I won't lie, there is huge money being seen out there in the wild. But, unless you are a media outlet, a human rights organization, a financial institution, or a government... you are unlikely to see any such attacks. And, when they do happen, you will need a lot of tripwires in place to see them. This means if you want tripwires, you need trips. Stealthing one's attack is pretty trivial and a drop in the bucket. Rigging and hiding the potential target data is much more valuable in these scenarios. On anomaly detection, again, I have worked on such projects and do work on such projects and I really like the possibilities. I really like some of the products out there, as companion products, to existing security solutions. The future is bright... and it is definitely an intellectually challenging and stimulating area.
Consider this point to be exacerbated as anomoly based IDS' become more common and as black hats change their style in order to evade them. What they would be very good at is at picking up new worms and blind scanners - but that's a far cry from a 0-day, unless the attacker decides to use their 0-day on a worm - in which case they're wasting their "golden key". Anomoly detection is just another tool that can be used to learn more about your network, no more, no less... and not a single one of those tools is magic, but they all have a use to those deploying them. Just make sure you know what you're deploying. In my experience, relying on marketing material works against that goal. :) -Barry
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Anomaly Based Network IDS, (continued)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
- Re: Anomaly Based Network IDS Ramoni (Jun 24)
- RE: Anomaly Based Network IDS christian graf (Jun 24)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- RE: Anomaly Based Network IDS Drew Copley (Jun 24)
- Re: Anomaly Based Network IDS Drew Simonis (Jun 24)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 25)
- RE: Anomaly Based Network IDS Drew Copley (Jun 25)
- Re: Anomaly Based Network IDS Bharat Bhushan (Jun 25)
- Re: Anomaly Based Network IDS Thiago dos Santos Guzella (Jun 29)
- RE: Anomaly Based Network IDS Bharat Bhushan (Jun 29)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)