Re: Open issues in intrusion management research?

["Webb Wang CS" <webb.wang () cybershieldnetworks com>]

Well, the trend in the area of ID/IM research is definitely moving from the
traditional ID methodology to the more broad intelligence gathering and risk
management.

But what is really bothering me is that this massive amount of data from all
of these security related devices (such as firewalls, IDSes, etc.) and
non-security related devices (such as syslog, router/switch access logs,
file server logs, etc.) presenting a big challenge when doing correlation,
prioritization, risk ranking, and relevance calculation. One good example of
showing such a complexity and difficulty can be demonstrated at this link:
http://www.sdl.sri.com/papers/m/c/mcorrelator/mcorrelator.pdf.

And what's even more bothering me is the fact that if the intelligence is
gathered based on the existing signature matching based mechanism or
existing protocol anomaly analysis algorithm, then the huge amount of noises
introduced into this risk management framework will greatly impact the
overall accuracy and therefore impact the overall usefulness of such
framework.

So, IMO, one of the key areas we need to focus on in the ID/IM research
arena is to discover new ways of gathering intelligence that the results are
trustful and hence the verdict coming out of the risk management framework
can be dependent on for further business actions.

One of the new ways, which I am a true believer in, is to utilizing
deception or honeypot technology to help elevate the accuracy level in
identifying risks. This technology not only promises us the highest level of
accuracy, but also enables us a lot of proactive choices as far as dealing
with the attacks we facing.

Best Regards,

webb





Hi,



I'm currently trying to identify open issues in the area of ID/IM research.
I'm not so much interested in basic IDS research that focuses on topics such
as performance issues or analysis techniques of "traditional" standalone
IDSs, but more in combining IDSs with other IDSs or security technologies
and using additional information about the systems to be protected to
enhance their usefulness.



Looking at commercial products (they are usually called something like
"intelligent intrusion management systems), most of them correlate events
generated by IDSs with those from firewalls, virus scanners and the like,
display the results on centralised management consoles, and claim to be
easily manageable while keeping the false positives very low. In addition,
some products make use of information about the hosts/network, using e.g.
vulnerability scanners, to further optmise the results. Briefly, looking at
product descriptions, one could think that these systems work very well and
the typical problems of traditional IDSs (false positives, manageability,
scalability) are solved.



On the other hand, if I look at the proceedings of recent conferences and
workshop that include sessions about ID, it seems that all of the promises
made by the vendors of commercial products are also (still) active areas of
research, but the papers usually do not refer to these commercial products
at all. As a result, I'm quite confused about how good the commercial
products really are today, and what (if any) the really significant problems
-- with regard of the collaboration of different security technologies --
are.



Any information, or pointers to such information, that could help to resolve
my confusion would be highly appreciated.



And a final question: currently, intrusion management is usually decoupled
from the actual business process/workflow. One promising research area could
be tring to integrate these areas better. I haven't found anything on the
Web that reports about attempts to do so; is anyone of you aware of such
activities?



Thanks,

Marc

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.588 / Virus Database: 372 - Release Date: 2/13/2004
 


---------------------------------------------------------------------------
---------------------------------------------------------------------------