RE: IDS Correlation
From: Matthew F. Caldwell (mattc@guarded.net)Date: 03/22/02
- Previous message: Kohlenberg, Toby: "RE: IDS Correlation"
- Maybe in reply to: 李辉: "IDS Correlation"
- Next in thread: 李辉: "Re: RE: IDS Correlation"
- Reply: 李辉: "Re: RE: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Mar 2002 01:07:21 -0500 From: "Matthew F. Caldwell" <mattc@guarded.net> To: 鏉庤緣 <huili@sei.xjtu.edu.cn>, <focus-ids@securityfocus.com>
I think you will find that the correlation systems on the market do a lot more than just Intrusion Detection Systems. The correlation tools have expanded to numerous devices including network devices, hosts, ids, firewalls, and even application security. The definition of correlation varies widely with each company. Some of the products in the field only do correlation however I think the market will be dominated by more threat analysis engines (explained later) not just correlation tools.
The following is a listing of correlation techniques I have seen publicly.
Simple Correlation
The ability to see all events in a normalized format side by side in a single perspective.
Example:
Checkpoint FW1 X.X.X.X Z.Z.Z.Z accept
Enterasys Dragon X.X.X.X Z.Z.Z.Z IISUNICODE
ISS RealSecure X.X.X.X Z.Z.Z.Z Nimda_Worm
Cross Organization Correlation
Managed Service Providers and Intelligence Service Providers can do this, (or at least I hope so) you are trying to match similar events with a bit of fuzziness to help customer come together as group in combating a threat.
Time by Event Correlation
Statistics Table holds key information about Event counts and Time period over hosts. Picks up slow scans and that type of thing if you have lots of memory :>
Rules or Pattern Correlation
This is a manual process of configuring rules to act as a higher-level signature.
IISUNICODE1 + IISUNICODE2 = NIMDA
Grouping Correlation
This type primarily called classes this would group all of your ids events into a similar fashion. For example: ids.detect.ddos might contain many DDOS signatures.
Vulnerability Name and Event Correlation.
Well ladies and gentlemen, this is where is starts to get messy. This is a form of correlation but I think it demands recognition as a higher level of analysis; I usually call this a type of threat analysis engine because effectively you are justifying threat or reducing the perceived threat in a useful manner. These are getting more and more complex at least here at GuardedNet. I would encourage too look more into a threat analysis tool than just a correlation tool.
I will be at the TechSec 2002 http://www.techsec.com Conference in April 7-10 discussing these very topics.
Matthew F. Caldwell, CISSP
Chief Security Officer
GuardedNet, Inc.
http://www.guarded.net
Home of neuSECURE Threat Management Software
-----Original Message-----
From: 鏉庤緣 [mailto:huili@sei.xjtu.edu.cn]
Sent: Tue 3/21/2000 9:49 PM
To: focus-ids@securityfocus.com
Cc:
Subject: IDS Correlation
hi,all
Recently I am focus on IDS correlation,but I am always thinking about the questions:
1.Can correlation definitely improve the performance such as precison?
2.Maybe a comprehensive knowledge base about all kinds of IDS's alerts is essential to correlation,but how can we acquire it?
3.Supposed that we have the knowledge base,which kinds of method should we take to do correlation?
welcome all kinds of comments about correlation.
- Previous message: Kohlenberg, Toby: "RE: IDS Correlation"
- Maybe in reply to: 李辉: "IDS Correlation"
- Next in thread: 李辉: "Re: RE: IDS Correlation"
- Reply: 李辉: "Re: RE: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
