IDS mailing list archives
Re: Open issues in intrusion management research?
From: "Webb Wang CS" <webb.wang () cybershieldnetworks com>
Date: Tue, 24 Feb 2004 16:23:00 -0500
Well, the trend in the area of ID/IM research is definitely moving from the traditional ID methodology to the more broad intelligence gathering and risk management. But what is really bothering me is that this massive amount of data from all of these security related devices (such as firewalls, IDSes, etc.) and non-security related devices (such as syslog, router/switch access logs, file server logs, etc.) presenting a big challenge when doing correlation, prioritization, risk ranking, and relevance calculation. One good example of showing such a complexity and difficulty can be demonstrated at this link: http://www.sdl.sri.com/papers/m/c/mcorrelator/mcorrelator.pdf. And what's even more bothering me is the fact that if the intelligence is gathered based on the existing signature matching based mechanism or existing protocol anomaly analysis algorithm, then the huge amount of noises introduced into this risk management framework will greatly impact the overall accuracy and therefore impact the overall usefulness of such framework. So, IMO, one of the key areas we need to focus on in the ID/IM research arena is to discover new ways of gathering intelligence that the results are trustful and hence the verdict coming out of the risk management framework can be dependent on for further business actions. One of the new ways, which I am a true believer in, is to utilizing deception or honeypot technology to help elevate the accuracy level in identifying risks. This technology not only promises us the highest level of accuracy, but also enables us a lot of proactive choices as far as dealing with the attacks we facing. Best Regards, webb Hi, I'm currently trying to identify open issues in the area of ID/IM research. I'm not so much interested in basic IDS research that focuses on topics such as performance issues or analysis techniques of "traditional" standalone IDSs, but more in combining IDSs with other IDSs or security technologies and using additional information about the systems to be protected to enhance their usefulness. Looking at commercial products (they are usually called something like "intelligent intrusion management systems), most of them correlate events generated by IDSs with those from firewalls, virus scanners and the like, display the results on centralised management consoles, and claim to be easily manageable while keeping the false positives very low. In addition, some products make use of information about the hosts/network, using e.g. vulnerability scanners, to further optmise the results. Briefly, looking at product descriptions, one could think that these systems work very well and the typical problems of traditional IDSs (false positives, manageability, scalability) are solved. On the other hand, if I look at the proceedings of recent conferences and workshop that include sessions about ID, it seems that all of the promises made by the vendors of commercial products are also (still) active areas of research, but the papers usually do not refer to these commercial products at all. As a result, I'm quite confused about how good the commercial products really are today, and what (if any) the really significant problems -- with regard of the collaboration of different security technologies -- are. Any information, or pointers to such information, that could help to resolve my confusion would be highly appreciated. And a final question: currently, intrusion management is usually decoupled from the actual business process/workflow. One promising research area could be tring to integrate these areas better. I haven't found anything on the Web that reports about attempts to do so; is anyone of you aware of such activities? Thanks, Marc --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 --------------------------------------------------------------------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.588 / Virus Database: 372 - Release Date: 2/13/2004 --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Open issues in intrusion management research? Marc Rennhard (Feb 24)
- <Possible follow-ups>
- Re: Open issues in intrusion management research? Webb Wang CS (Feb 25)