IDS mailing list archives
Re: Network hardware IPS
From: "Stefano Zanero" <zanero () elet polimi it>
Date: Mon, 6 Oct 2003 22:32:41 +0200
I hate Marketing spin as much as the next engineer, but with respect, I disagree here entirely.
Strange - your post actually illustrates, with examples, what I have said ;) The only defect is that you consider just one, impossibly simple, attack. The real world is totally different. There is actually another defect. You think about network based, misuse based IDSes: that is but a part of the IDS world. In my vision, the most boring part, I might add :)
False Positive reduction has nothing to do with Detection Rate.
It has _everything_ to do with Detection Rate. In the very moment in which you define a "strict" signature, you will miss "similar" attacks. You have attacks which are inherently polymorph. A trade-off: you risk to miss an attack which is slightly different than the standard form ? Or you make your signature more generic, thus risking false positives ? Your choice. You have attacks which can be spread over fragments: do you reconstruct them ? If so, how do you do so coherently ? Do you look at packets or at sessions ? If the former - you will miss some things. If the latter, you still expose yourself to insertion and evasion techniques. Your choices. As you change these choices, you will see different shapes take form on that ROC curve. Or, if you are less theoretically-minded, you will see a different behavior in terms of detection rate and FP rate. I don't even talk about statistical, anomaly based algorithms. There, the threshold between DR and FP rate is usually a real parameter of the model, surprisingly adherent to these observations.
Obviously, the real world isn't as cut and dry as this example, but the principles are the same - find something unique to the attack, go for root cause, and get the context as specific as possible. You will maximize detection while minimizing false positives.
The "as possible" expresses the fact that you actually agree with me, even if you don't want to :) Please, read my post again: I explained how there is a break-even maximization point. BELOW that point, increasing the DR comes at almost no cost (in your example, at zero cost - but it's a simplified example, which does not make up for the complexity of the network world). ABOVE that point you pay a price which gets higher and higher. It is a typical problem of engineering to identify roughly that curve, and to correctly estimate this point, in order to MAXIMIZE detection rate without paying too much in terms of FP. I am confident that I explained myself better now. Regards, Stefano Zanero --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Re: Network hardware IPS, (continued)
- Re: Network hardware IPS Darren Bolding (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 02)
- Re: Network hardware IPS Alvin Wong (Oct 02)
- Re: Network hardware IPS Ravi Kumar (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)