IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Specification-based Anomaly Detection

From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Mon, 10 Jan 2005 22:48:11 -0800
All opinions are my own and in no way reflect the views of my employer.

I was going to stay out of this rendition of this debate but... 


-----Original Message-----
From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] 
Sent: Sunday, January 09, 2005 3:53 PM
To: Stefano Zanero; roberto.perdisci () gmail com
Cc: focus-ids () lists securityfocus com
Subject: RE: Specification-based Anomaly Detection


Hi Thomas & Stefano,

I agree that anomaly detection is a new-comer to IDS, and in many cases
not a mature technology. But I think that due to the inherent
shortcomings of signatures, it has to be considered seriously.


What exactly is your definition of "new-comer"? Seeing as anomaly
detection
has been discussed and studied for at least 15 years as far I know...


As one of you mentioned, the main disadvantage of signatures 
is zero day
attacks.  As I see it, the significance of zero day attacks is way
underrated. Zero day attacks usually refer to abusing of 
vulnerabilities
before a patch or a signature has been issued, but there are those
"perpetual" zero day attacks - the bugs in the software of a specific
web site. 

The recent "phpInclude" worm is a very good example of exploitation of
such "perpetual" zero day attacks. The worm itself can be detected by
signatures as, being a publicly available code, it includes some
repeating patterns. On the other hand the same the same techniques can
be (and probably are) used by "none worm" crawlers or even manually to
attack specific sites, and are not be detected by signatures.


I'm not sure I follow the argument about "perpetual zero day". It sounds
like a problem of poor signature writing. Could you expand a little more
on why this is a problem for signature-based approaches as opposed to
anomaly-based approaches?


2. On the network layer, network profiling analyzes the normal behavior
of users (i.e traffic), while in the application layer we also profile
the normal behavior of the application.

Saying that, anomaly itself usually identifies that something is wrong
but not what is wrong. We use two important additional mechanisms to
derive actionable information:


What is your basis for saying that anomaly detection usually detects
that
something is wrong? I've never seen an anomaly detection system that
detects things that are "wrong", by definition they only detect that
something is _different_.
The assumption that that is always something wrong is one of the basic
problems with how people implement anomaly-based solutions in my
opinion.

toby

Toby Kohlenberg, CISSP, GCIH, GCIA
Senior Information Security Analyst
Applied Security Technology Team
Intel Corporate Information Security
503-712-8588  Office & Voicemail
877-497-1696  Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA  01A1 6E09 B5BA 9E84 9E70

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: