Re: Anomaly Based Network IDS

["Drew Simonis" <simonis () myself com>]

> Barry Fitzgerald wrote: 
>
> I'm going to go out on a limb and state that it's far less 
> likely that a real 0-day will ever generate significantly 
> abundant anomolies in the network traffic, in particular 
> if it's designed well and if the attacker is careful about 
> how they carry out their attack.


I wonder why volume of anomolies is a point of consideration
here.  As I have stated, I am a user of Mazu Network's Profiler
product (and have been since early December).  This product
features the ability to compare network traffic against a 
evolving baseline, which would allow me to, for example, instantly
detect traffic to a port on a machine that wasn't there before.

The implications are (to me, anyway) obvious.  In my experience,
an exploited machine usually begins listening on a new port.  For
example, if I exploit a webserver, I may have a listener on a 
high port so that I may connect in and do my thing.  It isn't
likely that I'd use 80/tcp as my listener, as that would make 
detection trivial (i.e. my webserver isn't serving!).  

As soon as a connection to this listener is made, I get an alert.  
If a host starts communicating with other hosts that it traditionally
doesn't, I can get an alert.  If a server stops receiving traffic on 
a port, or traffic falls below a threshold, I can get an alert.

The point is, while the initial attack vector may not generate
alertable activity, in most cases the utilization of the attacked
host would, and that is the value I see.

-Ds

---------------------------------------------------------------------------

---------------------------------------------------------------------------