Re: IPS false negatives

["Thomas Choi" <tchoi () nortel com>]

Basgen, Brian wrote:
>  Is anyone aware of research that has been done to qualify/quantify the
> false negatives that commercial IPS's will pass when running on a
> default configuration?

From a security officer's POV, I limit the scope of false negatives to 
behavioral-based signatures that are designed to detect the types of 
abnormal behavior that a large corporate entity would be concerned 
with.  Such behavior includes various well-known malware propagation 
means (i.e network spreading, file share, spim, spam), phone home 
traffic and DoS attacks, to name a few.  IMO, the detection of these 
types activities should be the minimal requirements of any corporate IDS 
strategy.  For what good is an IDS with hundreds/thousands of 
signatures, if it can't even detect obvious generic attack patterns 
going on in your network, where such attacks are known to be very costly 
to corporate entities?  


As part of my graduate studies research, I've developed a series of 
tests that one can safely run in their production environment to mimic a 
wide range of known malicious behaviour (such as the ones described 
above) for testing any given IDS.  I've applied my evaluation toolkit 
against a number of commercial IDSs and have found this evaluation 
approach to be extremely simple, efficient and effective.  




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------