Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: tqbf () secnet com
Date: Sun, 15 Feb 1998 23:14:22 -0600 (CST)
On Sat, 14 Feb 1998 tqbf () secnet com wrote:
point out below. But I don't think it solves the issue of providing a context for the evaluation of anomolies and attacks. That problem is
You're moving into a whole new level of questions about intrusion detection. Hopefully, some kind souls will spend some time researching IDS at the event analysis level (testing misuse detection's signature patterns, anomoly detection's statistical analysis, what have you) and we'll have some solid, technically credible basis for conjecture about the security of ID at that level. My approach to IDS security analysis goes from the bottom up, and we've only just started to climb into the event generation techniques we've got now. I'd be amazed if there were no problems at higher levels, and there's certainly nothing stopping people from attacking them at the level of analysis, so someone should get the ball rolling and give us some information.
to identify security problems. How about time series analysis of request response cycles, or statistical analysis of larger traffic patterns?
Intrusion detection as a field of academic research seems to (this based on my exposure to the literature) revolve around finding new ways to analyze events; this includes the well-known techniques of misuse detection and statistical analysis, as well as some far-out-there ideas that have their basis in novel models for contemplating the meaning of an event series (such as the ORA (?) work on system-level intrusion detection based on immune system models, or the UCDavis GRiDS project for large-scale ID based in graph theory). There's months worth of interesting, published, public research you can get on intrusion detection. COAST does quite a bit of ID work. So does UCDavis. You can check out the CIDF at http://seclab.cs.ucdavis.edu/cidf [neat place!!!] and find a whole bunch of people who do work in this field. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious"
Current thread:
- Important Comments re: INtrusion Detection tqbf (Feb 13)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 14)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Marcus J. Ranum (Feb 14)
- Re: Important Comments re: INtrusion Detection Aaron Bawcom (Feb 15)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Craig Brozefsky (Feb 14)
- Re: Important Comments re: INtrusion Detection Bret Watson (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection Rick Morrow (Feb 15)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 14)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 15)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 16)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 16)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul D. Robertson (Feb 16)