Re: Denial of Service Attacks Planned For Christmas - ISS

[lsi <lsi () LSI CLARA NET>]

> How do they 'know' when an attack is planned?

I'd say they are using statistics.  They probably found a positive
correlation between certain types of intrusions and DDOS attacks.
They probably also dredge data from IRC and the web using robots.

The stat technique might be multivariate cross-correlation analysis,
which basically asks the computer to find any correlations in all
columns of a database (which must be represented numerically).

So basically X-Force must feed all their incident data and all the
bot data into a database and mash it with that algorithm.  And
probably a few others.  They take the significant numbers from the
analysis and feed them to their eXpert system, which every half-
hour pops up with its latest set of "X-pert recommendations", which
they then give to their analysts, who aggregate it with what they
"know" of the field (but presumably have been unable to codify into
rules for their box).

It should be possible to model/predict the accuracy of the security
companies' alerts, as they too will be normally distributed.. so we
can say that X-Force are x% likely to be right about Christmas,
and their predictions are usually y% more accurate than [a rival
company/the industry average].

> Welcome to just one of the many things that suck about the
'industry' that's
> developed around info ops and info assurance.

I'd say that the quality of the statistics provided by these
companies is competitive advantage to any serious player, and
they [should be] doing everything impossible to improve them (it's
in their commercial interest to do so).

The companies with the largest sample size (largest datasets) and
lowest rates of bias (input errors, bugs in their analyser/rulesets,
etc) will without fail issue the most accurate predictions.

But the key point to be made is that it's very probably machines
both doing the measurement and making the predictions.  With
time, and expert training, these devices can become extremely
sensitive and accurate.

my 0.02E-08c
Stuart

------------------------------
. ^               Stuart Udall
.~X\     stuart () cyberdelix net
.~ \    http://cyberdelix.net/

..revolution through evolution

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".