Re: Network hardware IPS

["Stefano Zanero" <zanero () elet polimi it>]

> I hate Marketing spin as much as the next engineer, but with respect, I
> disagree here entirely.

Strange - your post actually illustrates, with examples, what I have said ;)
The only defect is that you consider just one, impossibly simple, attack.
The real world is totally different.

There is actually another defect. You think about network based, misuse
based IDSes: that is but a part of the IDS world. In my vision, the most
boring part, I might add :)

> False Positive reduction has nothing to do with Detection Rate.

It has _everything_ to do with Detection Rate. In the very moment in which
you define a "strict" signature, you will miss "similar" attacks.

You have attacks which are inherently polymorph. A trade-off: you risk to
miss an attack which is slightly different than the standard form ? Or you
make your signature more generic, thus risking false positives ? Your
choice.

You have attacks which can be spread over fragments: do you reconstruct them
? If so, how do you do so coherently ? Do you look at packets or at sessions
? If the former - you will miss some things. If the latter, you still expose
yourself to insertion and evasion techniques. Your choices.

As you change these choices, you will see different shapes take form on that
ROC curve. Or, if you are less theoretically-minded, you will see a
different behavior in terms of detection rate and FP rate.

I don't even talk about statistical, anomaly based algorithms. There, the
threshold between DR and FP rate is usually a real parameter of the model,
surprisingly adherent to these observations.

> Obviously, the real world isn't as cut and dry as this example, but the
> principles are the same - find something unique to the attack, go for
> root cause, and get the context as specific as possible.  You will
> maximize detection while minimizing false positives.

The "as possible" expresses the fact that you actually agree with me, even
if you don't want to :)

Please, read my post again: I explained how there is a break-even
maximization point. BELOW that point, increasing the DR comes at almost no
cost (in your example, at zero cost - but it's a simplified example, which
does not make up for the complexity of the network world). ABOVE that point
you pay a price which gets higher and higher.

It is a typical problem of engineering to identify roughly that curve, and
to correctly estimate this point, in order to MAXIMIZE detection rate
without paying too much in terms of FP.

I am confident that I explained myself better now.

Regards,
Stefano Zanero



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------