INtrusion Detection

[Gary Crumrine <gcrum () us-state gov>]

I started a similar thread a few days ago on the IDS list, and it seems to 
have spilled over to here.

One thing that I have noticed, is that we tend to deal in absolutes...  A 
product has to meet x,y,z absolutely or it is considered BAD.  I totally 
disagree with that thought stream.   Take a look at the needs of a bank, 
VS. the little shop down the block that wants to protect their ten employee 
internet connection.  Who's needs are more?  I think that the first answer 
is both are equal.  But the poor guy doesn't have the $ to spend like the 
bank.   He needs something...so he is willing to accept more of a risk, and 
use something less robust IE Costing less.  It makes damn good sense to me 
to recommend a product that may be less robust, but affordable in lieu of 
him going totally without.....

I think we are becoming too closed minded these days.  We need to root out 
solutions, not attacking each other's ideas
My 2 cents worth

-----Original Message-----
From:   Vern Paxson [SMTP:vern () ee lbl gov]
Sent:   Sunday, February 15, 1998 2:16 AM
To:     Craig Brozefsky
Cc:     firewall-wizards () nfr net
Subject:        Re: Important Comments re: INtrusion Detection

> How about time series analysis of request
> response cycles, or statistical analysis of larger traffic patterns?

I'm skeptical that you can reliably detect attackers this way.  A theme
from the measurement studies I've done is that many aspects of "normal"
traffic have an extremely large range of behavior; so it seems all-to-easy
for an attacker to shape their illicit traffic to fit somewhere within that
wide range, and therefore go undetected.

                Vern