Re: Email reputation for inout to IDSs?

["Sanjay R" <2sanjayr () gmail com>]

Hi Gautam:
My general feeling towards the reputation system is "It is not a
security mechanism" and it should be proven either by me or by someone
else in more formal words/way.
now let us take the scenario that you posed. each email has a
reputaion value associated with it (magically!!) and IDS should scan
it based on its reputaion value (in this way, we are anyway defeating
the very purpose of having IDS). First thing is " what are parameters
to be used in calculating reputaion?" Another thing is: You must be
knowing that a virus/worm spread quite randomly (loosly speaking) and
many emails infacted by a new virus will be having high reputaion
values and therefore, bypass the IDS ( a case of false negative).
Let me know if you are not convinced or I have missed something in your views.
-sanjay

On Tue, Nov 25, 2008 at 12:14 AM, Gautam Singaraju
<gautam.singaraju () gmail com> wrote:
> Sanjay,
>
> FYI: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1271716,00.html
>
> ---
> Gautam
>
>
>
> On Mon, Nov 24, 2008 at 1:24 PM, Gautam Singaraju
> <gautam.singaraju () gmail com> wrote:
> > Hi Sanjay,
> >
> > I have a hearsay that some commercial products are in fact attempting
> > this. I understand that inputs from IDSs are being used to 'refine'
> > email reputation and vice-versa; though I have not seen any numbers
> > that attempt these.
> >
> > The idea is that: IDSs can monitor connections from those senders
> > closely depending on the reputation (reputation 80 to 100: basic
> > checks; 50-80 moderate checks; less than 50 extensive checks). The
> > number of classes and boundaries could be variable. In comparison,
> > blacklist is just "good/bad".
> >
> > I want to test this theory that email reputation could be useful in
> > more mechanisms that just classifying emails.
> > ---
> > Gautam
> >
> >
> >
> > On Mon, Nov 24, 2008 at 1:10 PM, Sanjay R <2sanjayr () gmail com> wrote:
> > > Hi Gautam,
> > > Can you please mention those references that have tried to incorporate
> > > email reputation systems into an IDS? To me, it appears that this type
> > > of solutions are more close to creating a "black-list" rather than
> > > core functionality of IDS i.e detecting an attack (malicious
> > > activities).
> > >
> > > -sanjay
> > >
> > > On Sun, Nov 23, 2008 at 6:51 AM, Gautam Singaraju
> > > <gautam.singaraju () gmail com> wrote:
> > > > All,
> > > >
> > > > I have been working in email reputation system that has computed
> > > > sender reputations for over an year. I believe that there are couple
> > > > of efforts to incorporate email reputations into IDSs. Is someone in
> > > > the group working on this? Are there any IDSs which can be configured
> > > > to perform extensive analysis for non-reputable senders? I would be
> > > > interested in sharing this data with other researchers in the group.
> > > >
> > > > ---
> > > > Gautam
> > > >
> > > > ------------------------------------------------------------------------
> > > > Test Your IDS
> > > >
> > > > Is your IDS deployed correctly?
> > > > Find out quickly and easily by testing it
> > > > with real-world attacks from CORE IMPACT.
> > > > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > > > to learn more.
> > > > ------------------------------------------------------------------------
> > >
> > >
> > >
> > > --
> > > Computer Security Learner



-- 
Computer Security Learner

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------