IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anomaly Based Network IDS

From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 23 Jun 2004 14:01:33 -0400
Drew Copley wrote:
There are several chances to "find" zero day. This is not a semantical issue, at all. It is a very critical issue. 

If people are clutching to smoke and mirrors, they will find
themselves in deep water when the ship is sinking. To continue
with the analogy.



<snip>


You are right, there is some wild hope, and the technology is advancing.
Heuristic type technology is surely not limited to the network, AV
companies
have been researching here for years... as is clearly shown with
some patent searches.

People should remember that while this technology has potential
and even some real world usage that it is not a "different planet"
removed from signature technology in the first place... there will
always be a required "learned" data set from which to deal with
"unknown data" so as to make a qualitative comparison... In one
scenario,
you have a more flexible situation, with end users training the
system individually to their own network... in another, you have a more generic system with end researchers training the data in the form of writing signatures.
I think that we can boil this whole thing down to one very generalized point:
Those who know the lay of the land better, will have a better time defending it.
That applies to network traffic profiling, host intrusion detection, host engineering, network layout, and system sizing and design. The general rule being the more you know, the better off you are. But, the problem with that being that there's so much to know, that it's impossible to know enough and be able to analyze it by yourself. 

Enter IDS/IPS systems.
No matter how many false positives you get, you're still processing less data than if you were to take a sniffer to the network and analyze one packet at a time by hand. In this way, both signature and anomoly based IDS systems have a place in the infrastructure. I think that the missing variable in this conversation regarding whether anomoly based IDS systems can detect 0-day attacks is a discussion of what type of attacks are they most likely to detect.
I attribute Anomoly based IDS systems to be specialized network profiling. What you're looking for, in that case, is changes/anomolies in the traffic/protocol. If a 0-day drastically changes the nature of network traffic, then the anomoly based IDS *should* pick it up. Knowing this, and taking into account that most new exploits exist for some period of time in the "elite" corners of the black hat realm before ever reaching the skript kiddies, I'm going to go out on a limb and state that it's far less likely that a real 0-day will ever generate significantly abundant anomolies in the network traffic, in particular if it's designed well and if the attacker is careful about how they carry out their attack.
Consider this point to be exacerbated as anomoly based IDS' become more common and as black hats change their style in order to evade them.
What they would be very good at is at picking up new worms and blind scanners - but that's a far cry from a 0-day, unless the attacker decides to use their 0-day on a worm - in which case they're wasting their "golden key".
Anomoly detection is just another tool that can be used to learn more about your network, no more, no less... and not a single one of those tools is magic, but they all have a use to those deploying them. Just make sure you know what you're deploying. In my experience, relying on marketing material works against that goal. :) 

               -Barry



---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: