IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Changes in IDS Companies?

From: Scott Wimer <scottw () cylant com>
Date: Thu, 31 Oct 2002 14:03:11 -0800
Raistlin wrote:

Even if there were no false alarms, something that automatically cuts in and
prevents communication has an astounding potential to become the worst
Denial-of-service tool on the market...

It is really difficult to implement an AI engine clever enough to understand
which attacks are using the prevention feature to actually cause harm
_through_ the IPS itself.
One way to do this is by implementing meta monitoring of the IPS tools themselves -- looking for patterns of activity in the counter-measures applied by the IPS. This won't let you prevent a few mis-applied counter-measures, but it should be able to substantially mitigate the risk of several hundred or several thousand "whoopsies".
The behavior of a set of IPS tools should be just as profilable as the behavior of a set of processes. Except, in this case, what you would be looking for is not the behavior breaking out of the pattern, but rather a case where the behavior forms a pattern where previously there had been mostly just noise. Kind of like a spike of signal against background radiation. 

Regards,
scottwimer


Stefano "Raistlin" Zanero
System Administrator Gioco.Net
public PGP key block at http://gioco.net/pgpkeys


--
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 850-4454                        Moscow, ID 83843
There is no Security without Control.
Previous By Date Next
Previous By Thread Next

Current thread: