IDS mailing list archives
Re: IDS vs Application Proxy Firewal
From: Ashish Kamra <akamra () purdue edu>
Date: Tue, 28 Oct 2008 19:37:05 -0400
My two cents on this issue as a Phd student working on an AD system for a DBMS (who just wants get his Phd at the moment and not get into a debate :-)).
I was at the Recent Advances in Intrusion Detection Conference (RAID 2008) recently where one of the topics for a panel discussion was "Life after antivirus". The main take-away from the discussion was that even top anti-virus companies are looking at whitelisting approaches to augment the existing blacklists in order to win the battle against ever increasing malware variants. They propose to come up with an combination of whitelists, blacklists and reputation based systems. Here is the link to one of the relevant presentations:
http://www.ll.mit.edu/RAID2008/Files/3-MartinFrechette-AVTalk.ppt and to others http://www.ll.mit.edu/RAID2008/panels.html Regards, Ashish Stefano Zanero wrote:
Omar Herrera wrote:Well formally yes, you are right, but you say you are whitelisting /blacklisting from the point of view of whom, the vendor of the security control or the user?In the case of anomaly detection systems, from the point of view of the network or system where the system is deployed, as almost all systems of this kind perform learning.bad? Let us say for example that using FTP is bad for a company and good for another, for any reason you want. You run your AD tool but the activity is not present for whatever learning time frame you want. Then you see the activity shows up in both cases, what will the tool say andNope, you are thinking that learning happens somewhere else than on the deployment site. This is not the case.how will act on it? The only way it won't be wrong in any of the two cases is to tell the user "something unusual is happening and let him/her decide.Which is what any detector will do, anomaly or misuse based.they put the time and resources). The whole idea of white listing is to get a complete set of known good activities, so that you can safely ban"everything else".Which is the whole idea of firewalling. The fact that the perimeter is coming down crashing and burning should tell a tale on this.if people take the time and effort to make a risk assessment and separate things (DB there, card processing system here, Web front application over there, and not everything in the same place)Yes, on systems that are perfectly secure and designed to be perfectly secure from the ground up, intrusion detection is pretty useless, I agree :) On the other hand, we usually think of real world systems ;)same problem, and it is not just ploymorphism. Fred Cohen demonstrated formally that no software can automatically decide if another piece of software previously unknown is malware or not.Please, don't get all computer-theoretical on me. Cohen (and a lot of other people, actually) reasoned on the basis of the halting problem, and of completeness of computation. It is extremely interesting, but has really nothing to do with what we're discussing here.Well, I would like to be wrong :-). If you have something that can automatically learn without false positives or negativesOh, I can provide you with thousands of prototypes which work without false positive, OR without false negatives :) If you want neither, well, that's something you cannot have. Any learning system will let you trade off between those values.complete white list (from the users perspective) or gives the same level of security (with a formal proof) using another approachThe point is that you cannot have white list, so setting them as a metric for existing security systems does not make any sense. Best, Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: IDS vs Application Proxy Firewal alfredhuger () winterhope com (Oct 24)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Ashish Kamra (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- RE: IDS vs Application Proxy Firewal Kamra, Ashish (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 29)