Re: Firewalls (was Re: IDS evaluations procedures) - AI

[Fergus Brooks <fergwa () gmail com>]

Could I raise something?

If less than 10% of network impacting events are security related then
shouldn't we be concentrating on behavioural changes rather than
attacks?

Let's say, for example, that someone reconfigures the core switches to
cache arp in a different way. And that this causes an outage of
business critical services for several hours. All the signature based
systems will be no help. Anything that looks at the pipes for
weirdness will.

This is a real world example.

The edge of the network where it faces the 'net has been done - to
death - maybe we should be looking at the rest of the network. To sit
on core L3 switches in M/R/WAN environments with behavioural anomaly
detection systems would seem to be the next logical step.

We can argue over the benefits and deficits of point security products
till we all go blue in the face...

/face turns blue



On 7/28/05, Sanjay Rawat <sanjayr () intoto com> wrote:
> Hi David:
> Its nice to know that you (and others too) are interested in
> exploring/discussing such AI based approaches. it true that we need some
> correlations among various data sources to gain more confidence and
> information to label an event as attack. recently i worked on a very simple
> approach to detect DoS (particulary SYN flood), wherein I correlated packet
> rate and CPU time of the server. surprising I got 0% false positive. of
> course it does not mean that in real environment, it WILL behave like this.
> but experimentally its a good start. similarly, we can investigate the
> usability of Fusion theory or association rules to find correlations among
> events. My only concern, at this point, is the complexity of implementing
> such methods. I am interested in implementing one, but again time is one
> major constraint here.
> Another point which I want to bring in here is "what should we look for in
> HUGE data?" Any machine learning algo is as good as the data presented to
> it. data should be as minimum as possible but MUST contain the attack
> manifestation. so this is another problem of characterizing the attack.
> ok I think its enough for now :-)
> Sanjay
>
> At 01:41 AM 7/27/2005, Swift, David wrote:
> > I believe added correlation and the programming of artificial
> > intelligence into security devices to be a key area of expansion for any
> > good security device over the next few years.
> >
> > Companies like Counterpane are beginning to correlate offline data to
> > look for real attacks.
> >
> > It is immensely more valuable to me for a device to let me know that
> > someone used a SYN-SCAN to find the open ports on my firewall followed
> > by a Fragmented packet with a TTL 1 higher than my firewall to map true
> > destinations by ICMP replies, who then sent a fragmented packet through
> > to an IP address on a port he previously found he could establish a
> > session on.
> >
> > Any single packet or detected IDS event means little by itself, but the
> > combination and sequence of events from the same source should allow me
> > to increase the threat level of a given source, and correspondingly
> > adjust my responses up to the point where I dynamically harden my
> > firewall from his source address regardless of what data he's
> > transmitting, AND hopefully beginning the automation of forensic
> > analysis by doing things like a reverse DNS lookup, whois, and
> > dynamically sending identification packets to his IP to identify any
> > other characteristics (i.e. will he respond to a Netbios Name Lookup?
> > Can I discover his MAC address? RARP tables/responses).
> >
> > I would enjoy the topic, but believe this should be a new discussion
> > thread however.
> >
> > -----Original Message-----
> > From: Sanjay Rawat [mailto:sanjayr () intoto com]
> > Sent: Tuesday, July 26, 2005 1:52 AM
> > To: Richard Bejtlich; Swift, David
> > Cc: Mike Barkett; Nick Black; focus-ids () securityfocus com
> > Subject: Re: Firewalls (was Re: IDS evaluations procedures)
> >
> > Hi Richard
> > I am agreed on the difficulty in defining an attack properly. in fact
> > recently i joined a company as a kind as intrusion analyst. Before that
> > i
> > was in academic environment doing my PhD in IDS. what i observed is that
> >
> > signatures are concentrating more on a particular exploit code rather
> > than
> > the true exploit/vulnerability. i am specifically talking about Snort
> > signatures. I feel that time has come when we should also look at some
> > AI/data mining/ machine learning techniques to get some more insight
> > into
> > the attacks, as now we have high computing devices. During my research,
> > i
> > experimented with many such techniques, but I dont find the
> > acceptability
> > of such techniques in commercial products. I know i may sound more
> > theoretical to all experienced network/system administrators, but i want
> > to
> > bring this issue into the focus. in this way, we can, at least, discuss
> > the
> > feasibility of such techniques and the problems associated with that.
> > i am looking forward to have some response from all.
> > thanks
> > Sanjay
> >
> >
> >
> > > Hi David,
> > >
> > > All good points.  If you can get past firewalls using various
> > > techniques, I'm sure others can bypass even your product, right?
> > >
> > > This is not an attack against you or any other prevention vendor.  The
> > > unfortunate reality is that at some point a smart, unpredictable
> > > intruder will figure out how to bypass your prevention mechanism.
> > > Where does that leave an integrated/converged security device?  Will
> > > it have any record at all that it was beaten?  Probably not -- if it
> > > knew what was happening, it would have blocked the attack, correct?
> > >
> > > The problem I see with most security vendors is their assumption that
> > > they can even identify attacks properly.  This is a problem because
> > > detection or prevention requires accurate attack identification.  I
> > > gave up on perfect attack detection years ago, but I did not give up
> > > on intrusion detection or prevention as necessary parts of the
> > > security process.  I am glad you and other vendors still work on this
> > > very tough problem!
> > >
> > > For my part, I try to identify when my preventative system has failed
> > > via policy enforcement failure detection.  If that doesn't work, I'm
> > > also performing network transaction logging.  Once I know (by
> > > non-technical means, perhaps) that I'm compromised, I have
> > > network-based evidence to guide my incident response and remediation
> > > process.
> > >
> > > I don't see do-it-all-in-one security appliances approaching the
> > > problem this way.
> > >
> > > I guess my view is biased because I do incident response for a living,
> > > and I constantly deal with failed security mechanisms.  (Unfortunately
> > > for my clients,) I am as busy now (with all the great new gear we
> > > have) as I was seven years ago when I started.
> > >
> > > Sincerely,
> > >
> > > Richard
> > > http://www.taosecurity.com
> > >
> > > -----------------------------------------------------------------------
> > -
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it
> > > with real-world attacks from CORE IMPACT.
> > > Go to
> > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > > to learn more.
> > > -----------------------------------------------------------------------
> > -
> >
> > Sanjay Rawat
> > Senior Software Engineer
> > INTOTO Software (India) Private Limited
> > Uma Plaza, Above HSBC Bank, Nagarjuna Hills
> > PunjaGutta,Hyderabad 500082 | India
> > Office: + 91 40 23358927/28 Extn 423
> > Website : www.intoto.com
> >    Homepage: http://sanjay-rawat.tripod.com
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> >
> > to learn more.
> > ------------------------------------------------------------------------
> >
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > ------------------------------------------------------------------------
>
> Sanjay Rawat
> Senior Software Engineer
> INTOTO Software (India) Private Limited
> Uma Plaza, Above HSBC Bank, Nagarjuna Hills
> PunjaGutta,Hyderabad 500082 | India
> Office: + 91 40 23358927/28 Extn 423
> Website : www.intoto.com
>    Homepage: http://sanjay-rawat.tripod.com
>
>
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------