IDS mailing list archives
Re: Stateful Anomaly Detection Molding
From: Thomas Ptacek <tqbf () arbor net>
Date: Sat, 16 Oct 2004 16:24:42 -0400
On Oct 13, 2004, at 10:41 AM, Beauford, Jason wrote:
What can the Blackhats of the world due to perpetuate rule set moldingof Stateful Anomaly Detection engines to allow malicious traffic throughwithout being detected? How reliable are S.A.D. engines in detecting unwanted traffic?
If you're looking for a Phrack article to write, this is probably a good topic.
On the other hand, if you're looking for something relevant to the ways that
attackers will actually break in to networks, I'd look elsewhere. A few thoughts: - IDS engines --- which are very well understood --- still tend to be astonishingly weak against directed, surgical attacks (attacks in which an explicit goal is made of avoiding a particular detector). Just recently on this list, Dave Maynor from ISS cited a flaw in a competing IPS product that would have been a major discovery in 1998, when Newsham, Paxson, Meltzer, Dug Song, and I were all just beginning to do research on signature IDS. Despite the fact that virtually every IDS/IPS engine deployed today has exploitable weaknesses, IPS evasion is still not a tool in most attackers toolboxes. Have any operators on this list ever detected an attacker abetted by Fragroute? Fragroute gets press mentions and is freely downloadable! "Anomaly detection" is so new, and so un-proven, and so hyped and marketed, that I doubt anyone is giving serious thought to how to evade it. - Despite all this, Arbor Networks actually has done research into anomaly detection evasion, and we have designed and built mechanisms to resist training attacks --- suggesting to me that there are plenty of "anomaly detection" engines out there that can be faked out. - However, I would suspect that a far more fruitful avenue of attacking anomaly detection systems is to chaff them into generating millions of false positives. On enterprise networks, most well-known anomaly detection techniques are noisier and harder to tune than signature systems.This is simpler than training (or "molding"), and it applies equally well
to IPS systems --- an IPS that appears to randomly block traffic that can't be traced to a legitimate attack can be evaded simply by waiting for operators to turn blocking off. - With regards to IPS vendors, by the way, you will be surprised at how simple the mechanisms are that underly vendor claims to "anomaly detection". --- Thomas H. Ptacek // Product Manager, Arbor Networks (734) 327-0000 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Stateful Anomaly Detection Molding Beauford, Jason (Oct 13)
- Re: Stateful Anomaly Detection Molding Thomas Ptacek (Oct 18)
- <Possible follow-ups>
- Re: Stateful Anomaly Detection Molding Drew Simonis (Oct 15)