IDS mailing list archives
Re: Changes in IDS Companies?
From: Scott Wimer <scottw () cylant com>
Date: Thu, 31 Oct 2002 14:03:11 -0800
Raistlin wrote:
Even if there were no false alarms, something that automatically cuts in and prevents communication has an astounding potential to become the worst Denial-of-service tool on the market... It is really difficult to implement an AI engine clever enough to understand which attacks are using the prevention feature to actually cause harm _through_ the IPS itself.
One way to do this is by implementing meta monitoring of the IPS tools themselves -- looking for patterns of activity in the counter-measures applied by the IPS. This won't let you prevent a few mis-applied counter-measures, but it should be able to substantially mitigate the risk of several hundred or several thousand "whoopsies".
The behavior of a set of IPS tools should be just as profilable as the behavior of a set of processes. Except, in this case, what you would be looking for is not the behavior breaking out of the pattern, but rather a case where the behavior forms a pattern where previously there had been mostly just noise. Kind of like a spike of signal against background radiation.
Regards, scottwimer
Stefano "Raistlin" Zanero System Administrator Gioco.Net public PGP key block at http://gioco.net/pgpkeys
-- Scott M. Wimer, CTO Cylant www.cylant.com 121 Sweet Ave. v. (208) 883-4892 Suite 123 c. (208) 850-4454 Moscow, ID 83843 There is no Security without Control.
Current thread:
- RE: Changes in IDS Companies?, (continued)
- RE: Changes in IDS Companies? Rob Shein (Oct 23)
- Re: Changes in IDS Companies? Aaron Turner (Oct 23)
- RE: Changes in IDS Companies? J. Foobar (Oct 16)
- RE: Changes in IDS Companies? Karl Lynn (Oct 16)
- RE: Changes in IDS Companies? Chris Petersen (Oct 16)
- Re: Changes in IDS Companies? roy lo (Oct 16)
- RE: Changes in IDS Companies? Oliver Petruzel (Oct 17)
- RE: Changes in IDS Companies? Mike Shaw (Oct 18)
- Re: Changes in IDS Companies? Frank Knobbe (Oct 18)
- Re: Changes in IDS Companies? Raistlin (Oct 31)
- Re: Changes in IDS Companies? Scott Wimer (Oct 31)
- Re: Changes in IDS Companies? Martin Roesch (Oct 16)
- Re: Changes in IDS Companies? Clint Byrum (Oct 17)
- Re: Changes in IDS Companies? Stephane Nasdrovisky (Oct 18)