IDS mailing list archives

Re: IDS thoughts

From: "Raistlin" <raistlin () gioco net>
Date: Mon, 26 May 2003 21:33:42 +0200

I excuse myself for out-of-order quotation, but I lost some messages on a
disk crash:

Mike, enjoyed the thoughts below.  It's also interesting to note, that Dr.
Denning, who most consider the mother of Anomaly Detection (because of her
1985 paper on it) even concluded in her landmark paper that she didn't
believe AD alone to be a viable, stand-alone ID model.  Even back then she
saw it as an adjunct model...which supports the whole hybrid,
use-both-where-they-fit-best solutions.


This is pretty obvious to me, too: please excuse me if this wasn't clear in
my first message :)

I don't think anyone has forgotten anomaly-based detection.  Most
players are taking a hybrid approach.


This is what they say, but beyond marketing hype and some small, limited
attempt at portscan detection, there is nothing of the kind in production
system. I welcome counter-examples of course !

Keeping up isn't as hard as you would think.


I hope so, but in your analysis you are forgetting memory requirements for
stream reassembly, and a lot of complications beyond simple pattern matching
;)

Ok.  I do both firewall development (OpenBSD) and IDS development (NFR).
And they are totally different, dare I use a buzz word, paradigms.


Thanks God for that, but you completely missed my point. I was saying that
misuse detection is like shutting down what you DON'T want (which is
something we know that works only on a limited, case by case basis), and
anomaly detection is like allowing only what you want.

I was not implying that you can actually DO 100%, totally accurate anomaly
detection, while you can sometimes define a totally tight policy for your
firewall.

By the way, paradigm is by no mean a "buzzword". It's a perfectly defined
scientifical word, which has a meaning. If vendors keep using it for other
things, that's not my fault :)

Thus you see many venders transitioning (have already done so) to doing
anomaly detection where feasible, and "bad thing" detection when not.


I don't see the former, actually. Looking for pointers, if you can provide
any :)

I'll make a standing offer, I will buy anyone a cookie that can describe
their enterprise network usage adequately enough that would allow pure
anomaly detction.


The point is not in using human knowledge for it. but trying to design
systems that can actually build such a model automatically.

Stefano



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------

Current thread:

Re: IDS thoughts, (continued)
- Re: IDS thoughts Stefano Zanero (May 20)
  - Re: IDS thoughts Mike Frantzen (May 20)
    - Re: IDS thoughts Thomas H . Ptacek (May 20)
    - Re: IDS thoughts Mike Frantzen (May 20)
    - Re: IDS thoughts Thomas H . Ptacek (May 20)
    - Re: IDS thoughts Ramani Yellapragada (May 20)
    - Re: IDS thoughts Lance Spitzner (May 21)
    - Re: IDS thoughts Stefano Zanero (May 27)
    - Re: IDS thoughts Bill Royds (May 21)
    - Re: IDS thoughts Roger A. Grimes (May 21)
    - Re: IDS thoughts Raistlin (May 27)
    - Random IDS Thoughts [WAS: Re: IDS thoughts] Greg Shipley (May 29)
    - Message not available
    - Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (May 30)
- Re: IDS thoughts Andrew Plato (May 20)