RE: Specification-based Anomaly Detection

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

> -----Original Message-----
> From: Stefano Zanero [mailto:zanero () elet polimi it] 
> Sent: Tuesday, January 11, 2005 1:29 AM
> To: Kohlenberg, Toby
> Cc: Ofer Shezaf; focus-ids () lists securityfocus com
> Subject: Re: Specification-based Anomaly Detection
>
> Kohlenberg, Toby wrote:
>
> > Stefano, could you expand on which part you agree with? I'm really
> > confused to think that you would agree that anomaly detection would
> > be new to IDS.
>
> I would agree that:
> - anomaly detection is needed as a complementary approach to misuse 
> detection because of the inherent limits of the latter

Okay, that makes sense and I think most would agree with it.

> - and that anomaly detection (in particular techniques which are not 
> rate-based) is a relative "newcomer" in the COMMERCIAL field of 
> intrusion detection, where most of the products are built on a misuse 
> detection approach.

Really? What would you call CMDS? Which was a commercial system that
used anomaly detection by building user profiles and was available from
ODS in the mid-90s?
Here's the announcement of the 4.0 release from 1999-
http://www.intrusion.com/about/news/releases/1999/011999.pdf

As I recall, it was originally developed by SAIC in the early 90s I'd
say
it's been around for quite a while.

> > Really? What about apps that all tunnel over a single port? 
>
> That would be a problem even if you work at application layer ;)

Why?

> Please note that Ofer was not advocating HOST-based intrusion 
> detection but NETWORK-based approaches working at layer 7

Right, I got that. But so long as you aren't encrypting the traffic, I
can dissect it. I won't always get the fragmentation right but I can
probably figure out the application if I look.

> > Are you getting the application that IANA says runs on that port or
> > are you getting SAP using telnet on some random port or Cisco using
> > HTTP on yet another random port?
>
> That's something that the algorithm we have developed can recognize ;)

Yes, but not by looking at IP/port pairs. You'll need more detail than
that.

> > No, but it does give you a much better chance of finding "actionable"
> > (or ignorable) 
> Yes,  but since we are discussing wether or not ANOMALY detection is 
> "actionable" (I'm not a native speaker but this word sounds 
> horrible to 
> me :) this objection is not relevant. Or better, it says exactly what 
> Tom and I were saying: anomaly detection is not, and this is a 
> disadvantage wrt misuse detection.

(you're right that word is horrible, but I've seen native speakers do
worse.
I have to work with some of them... :) )
Actually, I'd say that anomaly detection is completely actionable in
limited
situations where the existance of an anomaly is enough of an issue that
it
raises a concern. 
Don't throw the baby out with the bathwater. Anomaly detection has real
issues
but it is just as useful for taking action as misuse detection when you
use
it wisely.

t

> Best,
> Stefano

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------