IDS mailing list archives
Re: Current research on IDS
From: Maarten Van Horenbeeck <maarten () daemon be>
Date: Sat, 13 Jan 2007 00:11:15 +0100
Hi Mark, Interesting question. There is in fact quite a bit of research going on in the field of intrusion detection. Perhaps interesting to know is that there is a lot of applied work as well - at the end of August, the Computer Security Research Centre at NIST published a draft special publication 800-94, which serves as a guide to people considering the use of Intrusion Detection and Prevention systems. This draft document, while it doesn't constitute research 'pur sang', does indicate a large degree of interest in the commercial space as to where and how to implement these types of technical controls. You can find it here: http://csrc.nist.gov/publications/drafts/Draft-SP800-94.pdf Most research on IDS focuses on taking the model a step further. Gone are the days when regex-matching signatures were the main focus of intrusion detection. While they still underpin most production usage today, not all modern threats lend themselves to detection using these fairly simple mechanisms. This is especially valid for one-off's, attacks designed specifically to attack a certain organization, often used in industrial espionage. What is gradually being understood is that the art of intrusion detection requires a solid intelligence underpinning. That's why I'm going to refer you to a document which is in fact unrelated to IDS - it deals with a technical solution to an "intelligence problem". Nevertheless, as someone with a background in deploying enterprise IDS systems, this is probably one of the more interesting papers I've read over the last few months. "Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior", by a number of researchers at RAND: http://www.rand.org/pubs/monographs/MG126/index.html The gradual realization of this move from detection to actually benefiting from the information gathered through IDS is one of the reasons why we're seeing so much use of SIM tools and even event correlation on the sensor level. This branch of software now offers much more than simple correlation and matching, it has truly become one of supporting analysis and synthesis of security intelligence. Actual work on improving detection is mainly focused on the use of hidden markov models. You have an event A, influenced by (or correlated to, by a known probability) an environment B. An object C describes the value of event A, but nothing about environment B. Based on what you learn from C, you do not know B but you can deduce the likelihood of its state over time. In the field of intrusion detection this translates to new methodologies of profiling actions initiated by users to identify those that do not match with the expected behavior. These usually are self-learning systems as opposed to those that use 'rules' to detect when something happening on a system or network is an anomaly. One of the major challenges is for these systems to take into account base-rate information, or information that should influence the way all learned items is interpreted. Defining boundaries on what influences human behavior requires a sociological perspective on intrusion detection. Other intriguing research deals with how to combine intrusion detection probes with other technologies to make them more effective. A preliminary step was to combine probe output with information gathered from vulnerability assessment systems. This allowed for a correlation on the network between vulnerabilities and threats. Further steps that will gradually move from the academic field onto the market are the linking of IDS probes with honeypots to e.g. automatically generate signatures based on probable attacks. While the certainty of such event truly being an attack will never be absolute, a signature (or profile, if you wish) can then automatically be distributed across the probe base. Once an incident has been confirmed to be an actual attack, information security analysts will be able to identify the spread of a certain attack pattern across the organization. The sector is about to get real interesting. Cheers, Maarten -- Maarten Van Horenbeeck, CISSP maarten () daemon be - http://www.daemon.be/maarten ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Current research on IDS markospl (Jan 10)
- RE: Current research on IDS Dimitrios Patsos (Jan 11)
- Re: Current research on IDS Raffael Marty (Jan 26)
- Re: Current research on IDS Karsten Iwen (Jan 11)
- Re: Current research on IDS Konrad Rieck (Jan 11)
- <Possible follow-ups>
- Re: Current research on IDS Maarten Van Horenbeeck (Jan 12)
- RE: Current research on IDS Dimitrios Patsos (Jan 11)