Re: Random IDS Thoughts [WAS: Re: IDS thoughts]

["SecurIT Informatique Inc." <securit () iquebec com>]

>To:  FOCUS-IDS
>Subject:  Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
>Date:  May 31 2003 9:29PM
>Author:  Stefano Zanero <stefano.zanero () ieee org>
>Message-ID:  <06ae01c327bb$d1f52f20$07c8a8c0@vplab.local>
>In Reply-To:  <4.3.2.7.0.20030530133519.027c7950 () pop iquebec com>
>
>> statistical-based IDS, ot anomaly-based IDS

>Actually, they are not necessarily sinonyms, you know ? Anomaly based IDS
could be, for instance, based on neural algorithms or other adaptive models.

My mistake, I'm not an expert at these kind of IDS, but I wanted to include 
them in my analysis of the market.

>> could be beaten by flooding a network with "anomalous" traffic

>Rather naive. If you have a product that does not "adapt", this is obviously
>not a problem (i.e., you deploy it, you train it, then you "lock" it).
>Letting an algorithm learn by itself and still not get fooled by a semantic
>drift (this it one of the current names for the effect you described) is not
>an easy task, but it can be accomplished by following a scheme such as this:
>- get the new data
>- check if the new data is "wrong", if it is, fire an alert and do NOT
>update
>- if the new data is not "wrong", update the model to fit a little better on
the new data

>Obviously someone can still sneakily, bit by bit, subvert the training of
>the IDS. But it becomes a rather long attack ;-)

As I said, I'm not pretending that I didn't make some kind of mistake with 
this kind of IDS, but for this part I based my opinion on the article 
"Statistical-Based Intrusion Detection" 
(http://www.securityfocus.com/infocus/1686).  Anyway, my main point is that 
the more varied the devices, the more difficult it is to evade the global 
scrutinity of these tools, knowing that no single tool provides complete 
security protection.  I'm sorry if I said a couple of erroneous things in 
the meanwhile.

>> Being notified of events as they occur takes less time, as you
>> only have to deal with the data presented at this time.

>In the hope that you won't actually be alerted, say, three times every ten
>minutes...

It depends.  Are you getting hacked into 3 times every 10 minutes?  If so, 
then yes, you should be notified so frequently.  Does it have to tick off 
on every bit of log it receives for avalysis?  Of course not, this is why 
you can actually "analyse" this data, to determine of it is worth to bring 
your attention on it or not.  The analysis is still maybe a little crude, 
but bear in mind that this is a version 1.0 only, and that the algorithms 
may very well evolve in the foreseeable future.  Using this tool, and maybe 
firewalling applied to every host (personnal firewalls, for example), I 
thought that noise traffic, and with it false alerts, could be reduced to 
an acceptable level.  Also, with sound support, you can tell that if the 
LogIDS console emit a single beep every now and then, which can happen with 
devices false alarms, or if it starts ringing like hell which is more 
likely to be various devices reporting something really nasty going on.  It 
should help you determine more quickly about what is going on, altough it 
may not yet be perfect, I still think it's better than nothing.

>> So thinking about all that, I thought of designing a log-based IDS, or
LIDS
>> for acronym fans.

>That's actually already used for Linux Intrusion Detection System kernel
patches :)

DOH!  I knew it was too good for such an acronym to be unused.  But what 
other acronym can I name it?  Acronyms are made of the first letter of 
words.  In fact, it is not uncommon to see different things wear the same 
acronym (ex: DOS).  Oh well, this is not my main point.

>I will be looking at LogIDS: looks like a really nice work tough !

I do hope that people will find it useful and feed me with ways to improve it.

>Stefano

Adam

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------