IDS mailing list archives
Re: Specification-based Anomaly Detection
From: Stefano Zanero <zanero () elet polimi it>
Date: Mon, 10 Jan 2005 09:50:28 +0100
Ofer, list,
I agree that anomaly detection is a new-comer to IDS, and in many cases not a mature technology. But I think that due to the inherent shortcomings of signatures, it has to be considered seriously.
That's one of the lines of the speech I delivered at Black Hat - so I'd say I agree warmly with you :)
As one of you mentioned, the main disadvantage of signatures is zero day attacks
Or highly polimorph attacks, yes.
This might be a different perspective than yours as I believe that both of you come from network anomaly analysis background.
I do. But I've explored more than a bit also the host based p.o.v.
1. The application layer carries a lot more information (after all we analyze the entire connection and not just the communication headers).
Just FYI, that's exactly what I'm trying to overcome in my research on anomaly-based NIDS.
Naturally this presents more potential for statistical modeling.
This also falls prey to the types of attacks described by Thomas in his - what it was, '98 ? - seminal paper on IDS evasion. Unless you reconstruct the communication on the host side.
2. On the network layer, network profiling analyzes the normal behavior of users (i.e traffic), while in the application layer we also profile the normal behavior of the application.
Sorry, I don't see how this makes a difference. By definition, a couple (host, port) defines a listening application, so we can profile application-based traffic profiles if we want to.
1. Application Layer Signatures - these signatures detect content that may indicate an application layer attack. These signatures are much more prone to false positives and may be more computationally complex to detect. Simple examples are the word "select" (used in SQL injection) and Win 32 assembly code (buffer overflows). Application signatures are effective to determine an actionable item once an anomaly was detected.
This is basic misuse detection, it does not mean you can deliver an actionable anomaly detection result.
2. Correlation - another important aspect of application layer attacks is that they are not encapsulated in a single packet. Correlation enables us to both correlated different anomalies to generate more meaningful events and to follow longer term attacks.
Yes, but still not automatically - you just give the analyst more material to read ;)
Again, there is no real difference than using an advanced network IDS and asking it to reconstruct&record the sessions where a packet has been flagged for anomaly
Best, Stefano -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
(Thread continues...)