IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Definition of Zero Day Protection

From: Stefano Zanero <zanero () elet polimi it>
Date: Tue, 10 Aug 2004 16:15:17 +0200
Drew Simonis wrote:


As mentioned, do we consider them working if, at 100% malicious detection,
they lump in 20% non-malicious false positive?
As usual, there is a trade off between false positives and detection rate, and _usually_ this trade off is such that you can grow up to, say, 80 or 90% of DR incurring in a small number of FP (say, 10%), and then all of a sudden you hit a "hard" barrier and in order to catch the remaining <little number> of attacks, you have to accept <a hell more> false positives.
So, the question is: what are these systems good for ? they are good for complementing misuse based, non-zero-day catching systems, so even a 20% detection rate would be "good", since it's 20% _more_ than what was previously done. We can thus stay in the "easy" area of the tradeoff between detection and false positives.
I'd also like to add, responding to other posts, that it is not necessarily true that anomaly detection on the networks means just detecting "one megabit per second of odd dns request". Anomaly detection CAN go as far as detecting a single anomalous packet. The fact that such systems are still in research phase and that you cannot buy them yet is another problem entirely, but they do exist. See my Black Hat presentation for hints about them. 

Regards,
Stefano

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: