RE: NIPS Vendors explicit answer

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

I'm interested in hearing the responses to this as well but wanted
to point out one issue in your initial paragraph. See inline comments.

toby 

> -----Original Message-----
> From: christian graf [mailto:chr.graf () gmx de] 
> Sent: Wednesday, April 07, 2004 7:07 AM
> To: focus-ids
> Subject: NIPS Vendors explicit answer
>
> Hi all,
>
> there are many "imaginable" ways for a NIPS to detect traffic, which
> should be blocked. Patternbased, data-mining-methods (to even 
> guess into
> encrypted traffic - see http://www.phrack.org/show.php?p=61&a=9 , 
> RFC-anomaly, protocol-based anolmaly (layer 4 flows, new listening
> services, new protocols,..), statistical methods, ... Those 
> methods will
> most-likely combined with neuronal-networks, back-propagation-networks,
> state-machines and at least with some voodoo called heuristic.

Actually, this is one of the key issues for something that is claiming
to do "intrusion prevention" and not just doing inline IDS. To do
"intrusion prevention" via network traffic, you can't have decisions
that are made after the connection is done. In fact for the most part
the decisions must be made as quickly as possible. That removes
data-mining
as an option, it also potentially removes the more complex methods you
mention like neural networks (though there are so many things that could
mean
that debating it doesn't do much good). Traffic analysis is equally
problematic (especially if you want any sort of accuracy).

toby


---------------------------------------------------------------------------

---------------------------------------------------------------------------