IDS mailing list archives
Re: ids detect malicious encrypted data?
From: Christian Kreibich <christian () whoop org>
Date: 21 Feb 2003 17:29:56 +0000
Hi Lau, On Fri, 2003-02-21 at 09:21, Lau Ker Chea wrote:
i just start doing some research in ids field. may i know whether majority of the today's nids can detect malicious encypted data since from the article that i had read, early nids still face this problem.
with encrypted traffic and a NIDS, pretty much all you can do is traffic analysis (ie look at unusual amounts of traffic etc). You basically have to go host-based in order to understand what's going on. The other approach would be to come up with a NIDS that somehow knows all the crypto magic to still understand the traffic, which is problematic for a number of reasons (more CPU power needed, high-profile attack target etc etc). There are some research papers out there that investigate application-layer IDS architectures, you might want to have a look at those. Cheers, Christian. -- ________________________________________________________________________ http://www.whoop.org ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- ids detect malicious encrypted data? Lau Ker Chea (Feb 21)
- Re: ids detect malicious encrypted data? Christian Kreibich (Feb 21)