Information Security News mailing list archives
Re: Denial of Service Attacks Planned For Christmas - ISS
From: lsi <lsi () LSI CLARA NET>
Date: Sat, 2 Dec 2000 05:25:01 -0000
How do they 'know' when an attack is planned?
I'd say they are using statistics. They probably found a positive correlation between certain types of intrusions and DDOS attacks. They probably also dredge data from IRC and the web using robots. The stat technique might be multivariate cross-correlation analysis, which basically asks the computer to find any correlations in all columns of a database (which must be represented numerically). So basically X-Force must feed all their incident data and all the bot data into a database and mash it with that algorithm. And probably a few others. They take the significant numbers from the analysis and feed them to their eXpert system, which every half- hour pops up with its latest set of "X-pert recommendations", which they then give to their analysts, who aggregate it with what they "know" of the field (but presumably have been unable to codify into rules for their box). It should be possible to model/predict the accuracy of the security companies' alerts, as they too will be normally distributed.. so we can say that X-Force are x% likely to be right about Christmas, and their predictions are usually y% more accurate than [a rival company/the industry average].
Welcome to just one of the many things that suck about the
'industry' that's
developed around info ops and info assurance.
I'd say that the quality of the statistics provided by these companies is competitive advantage to any serious player, and they [should be] doing everything impossible to improve them (it's in their commercial interest to do so). The companies with the largest sample size (largest datasets) and lowest rates of bias (input errors, bugs in their analyser/rulesets, etc) will without fail issue the most accurate predictions. But the key point to be made is that it's very probably machines both doing the measurement and making the predictions. With time, and expert training, these devices can become extremely sensitive and accurate. my 0.02E-08c Stuart ------------------------------ . ^ Stuart Udall .~X\ stuart () cyberdelix net .~ \ http://cyberdelix.net/ ..revolution through evolution ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Re: Denial of Service Attacks Planned For Christmas - ISS lsi (Dec 04)