IDS mailing list archives
Re: Network hardware IPS
From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Fri, 10 Oct 2003 10:16:57 +0200
I agree completely - I never implied I could always catch everything.
You could - providing that you accept a correspondingly high rate of false positives :)
And as for the IDS-evasion paper comment, we've read it too, and done as much as possible to NOT be evaded.
Which means that you can still be evaded ;-) A total defense against evasion and insertion implies reconstructing network topology and decoding it. By the way, it also implies to know what is the behaviour of each TCP/IP stack on each host, to understand which packets get read and which get discarded. Sounds impossible ? That's right.
What I want to see is a new paper, less than 5 years old,
I will suggest then that you cease to study the RFCs that define IPv4 - they are a lot older than this ! Seriously: as long as no one suggests a complete answer to that problem, I am going to raise it every time someone claims that you can get arbitrarily good DR without accepting FP. You simply cannot. And if you can - we would be glad to hear how :)
And we're always looking to reduce false positives, while maximize detection rates. Which is why I was so frustrated at Stephano for implying that the two values are inseparable.
You are implying it yourself, don't you see ? If they were separable, you would try to annihilate false positive, AND to achieve 100% detection rate. Instead, now you are correctly stating your problem as a maximization problem (operational research, anyone ?) involving two variables that are strictly coupled. Stefano Zanero --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- RE: Network hardware IPS, (continued)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 07)