IDS mailing list archives
RE: Suggestions
From: "Drew Copley" <dcopley () eeye com>
Date: Tue, 1 Jun 2004 13:34:08 -0700
-----Original Message----- From: Rishikesh Pande [mailto:rpande () vt edu] Sent: Saturday, May 29, 2004 7:16 AM To: Clint Bodungen Cc: Thiago dos Santos Guzella; focus-ids () securityfocus com Subject: Re: Suggestions You may want to look at some of the research done by Matthew Williamson at HP labs. They introduced the concept of virus throttling, which does not involve any AI logic but still is *proven* to be effective for known and unknown threats.
He has some very interesting papers, thanks for the link. http://www.hpl.hp.com/techreports/2002/HPL-2002-172.html Quote: "This paper presents an approach to restricting this high speed propagation automatically. The approach is based on the observation that during virus propagation, an infected machine will connect to as many different machines as fast as possible. An uninfected machine has a different behaviour: connections are made at a lower rate, and are locally correlated (repeat connections to recently accessed machines are likely). " We utilized exactly this detection system, with api detection features, in our local honeypot kits. Never read his papers before, it is just obvious. It is smart and it works. It doesn't use AI, you are correct, one could say. One could also say otherwise, depending on one's definition of "AI". Of course, his throttling and his detection of virus activity are really two entirely different things, though. http://www.hpl.hp.com/personal/Matthew_Williamson/publications.htm Throttling seems to be how he handles virii, or more specifically, worms, whereas he detects them from their spreading mechanism. (I have always been against the grain and felt that slow, stealthy worms are far more dangerous then fast, "warhol" type of worms, personally). This is just for worm behavior, it might be noted. It is a bit like port detection for trojans. Such a model might be adapted to PE infecting worms, though at that stage you would probably be needing to do some api hooking for detection, anyway. It is effective because of the frequency of attacks of the same old worms and because they all are in such a hurry to propagate wildly.
Of course, there are ways of flying under the radar, but then the effectiveness of the worm will decrease.
I have always disagreed with mainstream thought that visible worms are the most dangerous. I understand their appeal. Historically, stealth and destruction tend to go together. Genghis Khan was able to destroy some pretty cities because of stealth and misdirection. The end product may have appeared all "shock and awe", but that was only possible because of stealth. Fundamentally, stealth and destruction go together... so it should be considered an inevitable - if not always actual - component of protection.
Though I personally like the concept of A.I. being used for intrusion prediction, I have not seen a good prediction logic yet. Though it may simply be the task of putting it all together and coming up with a better system by simply borrowing from several different ideas. Rishi On May 27, 2004, at 6:33 PM, Clint Bodungen wrote:I'm involved in the same sort of project and we're usingthe idea of aproduct from Q1 Labs called QRadar (www.q1labs.com) as ourfoundationand expanding upon it. It uses network behavioral/anomaly analysis to determine whether or not an attack or worm propagation is immanent. Unfortunately, it stops short because it focuses mainly on network traffictrends andonly has limited packet analysis. One has to be able to monitor both network statistics as well as complete packets and TCP sessions.The problemwith this is that it becomes a resource nightmare if you intendto track alarge amount of TCP sessions for a lengthy amount of time. Atrue Hybridsolution would work best because you must have a way to determinewhether ornot the anomaly is a known or unknown threat. Obviously, the knownthreatswill be identified by a signature. Once a signature matches it can be discarded and save resources. Analyzing the new, unknown anomaly iswhere the AIkicks in. When it detects an anomaly and starts analysis it hasto determinewhether it is in fact malicious activity or something likestandardnetwork performance issues. That in itself would almost have to be somewhat signature based on the backend somewhere in the AIalgorithms wouldn'tit? Another aspect we are looking at is how to develop thealgorithms fordetecting convoluted attacks such as worms or exploits that use polymorphic code. Any suggestions on that as well? -Clint ----- Original Message ----- Hi there, I am taking part in a research project on artificialinteligence, andmy objective is to create a IDS (possibly hybrid), capable ofdetectingattacks never seeing before (by using some artificial inteligencealgorithms).I would like to hear suggestions on which aspects ofnetwork trafiicshould I focus on ... Thanks in advance. -- Thiago dos Santos Guzella Linux User #354160 UIN 13465286-------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Suggestions Drew Copley (Jun 02)
- RE: Suggestions Jose Nazario (Jun 02)
- <Possible follow-ups>
- RE: Suggestions Drew Copley (Jun 02)
- Re: Suggestions Ed Donegan (Jun 02)
- RE: Suggestions Rishi Pande (Jun 04)
- RE: Suggestions Ed Donegan (Jun 04)