RE: How do behavioral/anomaly detection systems learn?

["Sasha Romanosky" <sasha_romanosky () yahoo com>]

Thanks to everyone who responded. 

David, 

You raise a very interesting attack against these systems, that of some
one "teaching" the system bad habits. Any idea what sort of conditions
might exist to facilitate this, or how one might go about it?

Recently, I was listening to a talk on email spam prevention. The system
used bayesian filtering to score and discard spam. Users of the system,
upon receiving a spam email, could forward it to an internal email
account where a script was run that added the email to the spam filter.
This works great until "Bob" decides he never wants to see another email
from his boss and forwards that to the spam account. Now, auditing and
honesty may prevent this in real life, but the threat -- and
vulnerabiltiy, remain. 

Any thoughts on what sort of countermeasures could be used to prevent
this in a behavioral IDS or application firewall? That is, how you would
go about preventing some one from retraining it?

Cheers,
Sasha

> -----Original Message-----
> From: david maynor [mailto:david.maynor () oit gatech edu] 
> Sent: Thursday, February 05, 2004 6:44 AM
> To: Sasha Romanosky
> Cc: focus-ids () securityfocus com
> Subject: Re: How do behavioral/anomaly detection systems learn?
>
>
> Depending on the system it can widely vary. Most of these 
> system create a baseline of network traffic and flag on 
> behavior that widely varies from the baseline. This is not 
> the only method, many systems include protocol analysis and 
> rfc compliance. An example of protocol analysis is checking 
> for encrypted tunnels over port 80 by the amount of traffic 
> transfered with out valid HTTP traffic. 
>
> Your question is more about how they learn. There are two 
> answers to this and neither of them are pretty. One is 
> manual. This means after a certain number of false positives 
> (like a user running an application that was present during 
> the baseline) you would add the traffic pattern to the 
> profile by hand. As everyone knows this is not effective for 
> anything larger than a class C. The second way is through an 
> automated process where a threshold and a time value are set 
> and after a certain amount of time the abnormal traffic 
> behavior becomes part of the offending hosts profile. This 
> means in the future similar traffic will not cause and alarm. 
> There are some provisions in the systems to alert on know bad 
> traffic patterns like fileswapping but you the effectiveness 
> of the device is limited at this point. 
>
> There are attacks you can do against such a system like a 
> "low slow" attack where someone could do whatever they as 
> long as it is rate limited. Another example is someone who 
> spends the time to "teach" the system bad habits. 
>
> Simple thing like this are why such systems should be used in 
> conjunction with signature based systems. The ideal product 
> would have a hybrid of both. 


---------------------------------------------------------------------------
---------------------------------------------------------------------------