Re: IDS vs Application Proxy Firewal

[Stefano Zanero <zanero () elet polimi it>]

Omar Herrera wrote:

> Anomaly detection in the end is still a form of blacklisting.

No, actually, it isn't. It's the contrary of it, by definition.

> Even if
> you use general patterns instead of specific ones, you are still doing a
> match against activity that is known to be bad

Then it is misuse detection, and not anomaly detection. You may wish to
refer to Bace's work on intrusion detection for quickly getting to speed
with modern research on the area.

> introduce higher false postive rates as well. No research will make
> anomaly detection a better alternative than white lists (from an
> effectiveness point of view),

You mean, except for the fact that whitelisting, except in some very
specific setting, is not a viable approach to manage complex information
systems ?

> everything else. Within http traffic you can't block all requests, but
> businesses and individuals might know the characteristics of good inputs
> and outputs and filter accordingly. 

Businesses and individuals do not know anything of the kind. Otherwise,
well, they would be doing what you suggest :)

Anomaly detection is all about learning automatically "whitelists" of
normal activities.

I will jump your examples, as they are actually excellent examples of
why manually created whitelists are completely unusable in any modern
environment.

> Sure, some anomaly detection devices try to learn from the environment
> what is good and bad.

ANY anomaly detector will do that.

> In practice you will get only information on what
> is significantly (e.g. statistically) different from the point where you
> took your measures.

No, this is not true. You evidently don't know most of the recent
research on the subject (which is what Damiano, and I incidentally, tend
to do for a living :) )

> Bad things that happened at the time of measurement
> might be legitimized, new good things might be marked as bad.

These are problems that have been widely studied. To claim there's no
way around them is false.

> Security departments has no excuse to not white list these days in my
> opinion

Except having an actual, real world network to run, you mean ?

White listing is a naive approach, which is perfect only in a very
limited setting of drones all doing the same things. In a modern network
of empowered users it won't hold for a second.

Best,
Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------