RE: Truth about False Positives

From: markclancy@mediaone.net
Date: 09/15/01 

From: <markclancy@mediaone.net>
To: <Vincent.Tan@mail.state.ky.us>, <ktimm@server1.stingrey.com>, <sck@space4rent.com>
Subject: RE: Truth about False Positives
Date: Sat, 15 Sep 2001 10:27:03 -0400
Message-ID: <001d01c13df2$82b64d90$3301a80a@neo>

In regards to false alarms as defined by Chris Klaus in his previous email:

You can collect a lot of information about potential adversaries by seeing
what type of probes they issue against your network. You can gauge the
potential effectiveness of attacks based upon the hit ratio of
infrastructure you run vs. the exploits attempted. For example if I'm an
IIS shop and I see a lot of Apache attacks I know the attackers are using a
shotgun approach. Shooting randomly into the sky and seeing if a duck falls.
Not very meticulous.

I worry a lot more about cyber equivalent to the folks who lie in the weeds
for a month and wait for the ducks to swim towards them and shoot when the
ducks are still unaware in the pond.

In fact in this day and age if you have a sufficient patch management
process (does anyone?) you *might* argue that if you see an IDS attack
signature for an exploit against your infrastructure that you have at best a
mid-level adversary and more likely less than that. It is probably unwise to
filter out the false alarm signatures for this reason.

An attacker that is 'detected' by another method like protocol anomaly
detection or suspicious activity in an OS or application log file is a much
more sophisticated threat. That is not a slam against signature based
technologies as they still provide valuable information, we just need to
carefully measure what that information really tells us. IMHO supplementing
IDS with additional information sources like honey pots and rigorous host
log analysis are highly advantageous for threat assessment of the skill
level of adversaries.

If you have a busy network for sensor data you need to know both what events
are taking place and what events to focus your limited resources to
investigate.

Just my $0.02

-Mark

Relevant Pages

  • RE: False Positives with IntruVert
    ... Subject: False Positives with IntruVert ... a different statement than IPS is not functional or not worth time or money. ... prevent attacks, ... profiled the attacks (signature or anomaly or combination of both)) has ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... In any ID implementation tuning of the device to reduce false alarms is ... necessary flexibility to drop some user specified attacks while only ... >> Pretty sad state of affairs, when people don't update their patches at ... >>> only lazy admins get their servers broken into), ...
    (Focus-IDS)
  • RE: IDS detection approaches
    ... Signature based analysis on TCP and UDP payload is no longer sufficient. ... Protocol Decoding combined with signature analysis is required to detect ... many recent attacks - such as SQL injection, XSS injection, RFE, LFI, buffer ... Subject: IDS detection approaches ...
    (Focus-IDS)
  • Re: Neural Net based Host/Application Anomaly detection systems
    ... You might want to investigate NFR NID hw/sw turnkey device. ... Neural Net based Host/Application Anomaly detection systems ... > ...as that might not trigger a standard NIDS signature but seems likely to ... >> to detect previously unseen attacks. ...
    (Focus-IDS)
  • Re: Intrusion Detection Evaluation Datasets
    ... I understand most IDS vendors do not actually use the Snort code ... SourceFire and some vendors who include Snort with hardware appliances ... of interest that one signature based IDS could detect that another ... I say attacks of interest because I am aware of some DoS ...
    (Focus-IDS)