Re: Statistical Anomaly Analysis? "Was [more specific] Signaturevs. Protocol Analysis "

From: Josh Gray (grayjr@cerias.purdue.edu)
Date: 03/17/02


Date: Sat, 16 Mar 2002 20:29:19 -0500
To: focus-ids@securityfocus.com
From: Josh Gray <grayjr@cerias.purdue.edu>

comments inline...

Xiaoyong Wu wrote:

> I would consider a system with the false alarm rate tunable. I can
> understand that everyone likes zero false alarm rate but different people
> may have different endurance for receiving those false alarms. I am more
> than agree that an Intrusion Detection System is no more than a burglar
> system. But, Let's take a look at the commercial products for burglar
> systems. We will notice that the false alarm rate for those systems is way
> below current that for IDS'es. Yeah, there's still a long way for IDS!

What do you consider a false alarm? I don't see a lot of false alarms
personally. I see a lot of unsuccessful attacks that get alerted on, such as
code red attempts to apache servers. The code red alerts fire because
there was
an attempt to infect a machine with code red, or to check if it has already
been
infected. This alert fires all the time. If you are overwhelmed by it then
simply disable the signature. The reason people get overwhelmed with alerts is
because they don't take the time to go through and eliminate the signatures
that
they don't want or need. If you don't have any web servers then disable all of
the web related signatures. Most IDSs come with a large signature set by
default because they have no idea what their deployment environment is like.
It's up to the operators of the system to tune it. IDS vendors could
simply not
include a default signature set and that would eliminate the alerts you have to
deal with. If they did that though everyone would start complaining that their
IDS didn't detect anything.

Basically my point is that your IDS is what you make of it. If you're tired of
seeing the same alerts every day then disable them. If you want to catch new
attacks play around with the signature set to detect more generic things. If
you know your network really well then you can tune your IDS to look for things
that shouldn't be happening.

>
> I am not sure how those home security systems are build but I would
> believe they are taking more events into consideration. At one time I know
> that cats trigger them pretty often:).
>

Actually, they are looking for less events. They are looking for a small
set of
very specific events, such as someone breaking your window or kicking your door
down. If a home alarm system alerted every time someone knocked on your
door or
called and hung up you would probably be overwhelmed (or at least annoyed) with
alarms by this system too. I know some police/fire departments will stop
responding to these alarms if they go off to often.

Josh



Relevant Pages

  • Re: Statistical Anomaly Analysis? (was: a bunch of things)
    ... " Basically my point is that your IDS is what you make of it. ... If you're tired of seeing the same alerts every day then disable them." ... intrusion on your network environment. ... >> I would consider a system with the false alarm rate tunable. ...
    (Focus-IDS)
  • RE: What is false alarm rate and false positive rate?
    ... short answer is "neither," but it comes down to this question: If the IDS ... sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, ... that a false alarm or not? ... What is false alarm rate and false positive rate? ...
    (Focus-IDS)
  • Re: Firewall Tester 0.6
    ... > an NFR and the NFR didn't generate a single false alarm. ... reasonable in the case where an IDS is placed outside the firewall ... E.g. consider IDSes placed inside the innermost firewall perimeter, ...
    (Focus-IDS)
  • Re: security alert
    ... Must be a false alarm, I also have Norton AV and firewall with no alerts. ... > it,Norton Internet Security 2003 identified a high security alert ...
    (microsoft.public.windowsxp.security_admin)