IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anomaly Based Network IDS

From: Thiago dos Santos Guzella <thiagoguzella () yahoo com br>
Date: Sun, 27 Jun 2004 14:31:26 -0300
Do you have any results available for discussion?? 
I am taking part in a similar project (artificial immune systems), am it would 
be interesting to see what do you have...

Em Qui 24 Jun 2004 13:14, Bharat Bhushan escreveu:

Is any one using a Genetic Algorithm based IDS? I developed a IDS for my
masters degree that was based on Immunogenetic approach. i.e. replicating
the human immune system to detect anomaly in network traffic data using
Genetic Algorithm. The results weren't too bad. I am happy to discuss my
project in detail if anyone is interested.

I am wondering if there any 'real' products out there that use GA.


Regards,

- Bharat.


From: Ramoni <ramoni () databras com br>
To: focus-ids () securityfocus com
Subject: Re: Anomaly Based Network IDS
Date: Wed, 23 Jun 2004 17:31:15 -0300

In fact, anomaly based IDSs are like rule based ones...
they just create their own rules of "NORMAL" (instead of attack) rules
dinamically.

Anomaly baed ones fall much more at the false positives and negatives
problems.

IMHO of course.

On Tuesday 22 June 2004 18:32, Wozny, Scott (US - New York) wrote:

Semantics aside I find the smoke and mirrors aspect of this technology
fascinating.  The bottom line is this.  The heart of anomaly based IDS
is to tell you that your network traffic patterns (from what you're
feeding the device) are noticeably different today than they were
yesterday (or an hour ago or 5 minutes ago or whatever).  While this is
an interesting value proposition it's an addition to, not a replacement
for, classical signature based IDS (or IPS if you're brave) that those
in the trenches rely upon every day to tell them who is knocking at
their doors and who brought in an infected laptop from home that's
raising hell on the intranet.  If an exploit is released for a
vulnerability that isn't known in the security community (specifically
the signature-based vendors) yet then anomaly based IDS does have a
real opportunity to be your first warning that something is amiss.  But
keep in mind that YOU need to tell it how sensitive to be to change and
YOU need to tell it how loud to yell when it sees something it finds
odd and YOU are going to need to baby-sit it.

My 2 cents,

Scott

-----Original Message-----
From: Drew Copley [mailto:dcopley () eEye com]
Sent: Tuesday, June 22, 2004 2:18 PM
To: Aaron Jordan; focus-ids () securityfocus com; secdistlist () dauncey net
Subject: RE: Anomaly Based Network IDS


-----Original Message-----
From: Aaron Jordan [mailto:aaronj0rdan23 () hotmail com]
Sent: Friday, June 18, 2004 2:14 PM
To: focus-ids () securityfocus com; secdistlist () dauncey net
Subject: Re: Anomaly Based Network IDS

My company uses Lancope's StealthWatch for anomaly based
network IDS.  We
are quite pleased with its ability to detect zero-day
undocumented attacks
on our network.


Guys, as a "bugfinder", I have to tell you this... this vendor
is misleading you in regards to "zero day".


From their site, the first bullet point they have up?


"Defeat Zero-Day Attacks"

That is extremely misleading.

Here's an unbiased article:
Crying wolf: False alarms hide attacks
http://www.nwfusion.com/techinsider/2002/0624security1.html

But, that guy was not even trying to address a claim like
"defeat zero day attacks". This crafty claim... for one
thing, it is extremely unlikely they have ever even found
one single zero day attack.

[Unless they count putting in bugs in their own products,
then "finding" it.]

"Zero Day" attacks... "zero day" means a newly discovered
security vulnerability not yet shown to the public. It is
impossible to know what it may be. Anyone that has spent much
time looking at past security bugs knows they could be anything.

"Day One" attacks would involve security vulnerabilities just
released to the public. It used to be something like "Day Forty"
or so that an unknown vulnerability would become a worm. No one
uses this terminology, exactly, and today the time from bug
release to attacks is extremely non-static.

Very rarely unfixed bugs which have been disclosed through Full
Disclosure have been called - with some right - "zero day".

The number of actual "zero day" that anyone is actually familiar
with are extremely small. A webdav issue in IIS was being used
against Navy servers early last year. This year a spyware distributor
just of late who obviously bought some zero day and has been
using it. That is about it.

Obviously, it is very likely that there is some zero day "floating
around"... in fact, every single bug finder that posts to Bugtraq
or Full Disclosure or NTBugtraq has "zero day".

Because that is what their bugs are before they disclose them to
anyone.


There is a trend, there are more bugfinders today then there was
yesterday... but when I say "bugfinders" I do not mean "everyday QA".
There
are hundreds, not thousands. And when I say "hundreds", I include
those that do not have much experience and whose skills are
lacking -- but they have potential.

People can be trained to find security vulnerabilities. An
accomplished assembly language programmer could easily break into
the world of cracking and hacking and learn his way around after
a few years. Very ambitious individuals could learn their way
around. But, the field is well hidden from public view -- the
"script kiddy" is the glamorous hacker of media fame... and even
when one does understand this is the "core", one is a long way
from spending endless nights trying to find a high quality security
bug which has been missed by teams of QA and devel working for
years.

These things said... someone with a "zero day" attack has an
unknown attack. A "golden key" to the systems, I like to say. There
are possibilities to find large classes of "zero day" attacks. We
do this in SecureIIS and have instituted the same functionality
in our upcoming Blink. We have had a lot of "zero day" with which
to test and design and develop these products.

Rule based API guards can do a lot to protect against true
zero day attacks. Class based protection schemes can do a lot
against true zero day attacks. More importantly, these schemes
can help secure systems against new variants of known vulnerabilities
including every manner of virus or trojan... which is the most
common type of attack, and therefore, the most plausible.

It is true the real "nightmare scenarios" of computer security
do involve zero day. There are likely some nightmare scenarios
of this caliber going on right now. I know I am aware of some over
the years. But, these scenarios almost always involve extremely
important "target" systems such as military, diplomatic, primary
routing systems, or extremely senstive corporate systems.

A very likely scenario, however, is a zero day worm which is
wildly propagated in the next few years... one made by individuals
who really want to destroy systems, like the Witty Worm of late.

But, this does not remove the fact that you need to be up on
everyday attacks which do not utilize "zero day".

Merely writing a new trojan or doing a "new hacking attack" is
a far cry from the true and generalized definition of the term
"zero day". If marketers are trying to pass off such definitions
as accurate, they are being highly deceptive.


We're easily able to see into our network to
examine what
is actually happening on it versus what should be happening on it.

We evaluated a few of the other products in this space and
decided on this
one since it was the easiest to use.

--my $.02

AJ
"802.3"

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan
from McAfee(r)
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


--------------------------------------------------------------
-------------

--------------------------------------------------------------
-------------


-----------------------------------------------------------------------
- ---

-----------------------------------------------------------------------
- ---




This message (including any attachments) contains confidential


information


intended for a specific individual and purpose, and is protected by
law. If you are not the intended recipient, you should delete this
message.


Any


disclosure, copying, or distribution of this message, or the taking of


any


action based on it, is strictly prohibited.


--------------------------------------------------------------------------
-


--------------------------------------------------------------------------
-

--------------------------------------------------------------------------
-

--------------------------------------------------------------------------
-


_________________________________________________________________
Want to block unwanted pop-ups? Download the free MSN Toolbar now!
http://toolbar.msn.co.uk/


---------------------------------------------------------------------------

---------------------------------------------------------------------------


-- 
Thiago dos Santos Guzella
Linux User #354160
UIN 13465286

"Software is like sex: it's better when it's free." Linus Torvalds 

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: