Re: ids detect malicious encrypted data?

[Christian Kreibich <christian () whoop org>]

Hi Lau,

On Fri, 2003-02-21 at 09:21, Lau Ker Chea wrote:
>       i just start doing some research in ids field. may i
> know whether majority of the today's nids can detect
> malicious encypted data since from the article that i
> had read, early nids still face this problem. 

with encrypted traffic and a NIDS, pretty much all you can do is traffic
analysis (ie look at unusual amounts of traffic etc). You basically have
to go host-based in order to understand what's going on. The other
approach would be to come up with a NIDS that somehow knows all the
crypto magic to still understand the traffic, which is problematic for a
number of reasons (more CPU power needed, high-profile attack target etc
etc).

There are some research papers out there that investigate
application-layer IDS architectures, you might want to have a look at
those.

Cheers,
Christian.
-- 
________________________________________________________________________
                                                    http://www.whoop.org


-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure