Re: Changes in IDS Companies?

From: Scott Wimer (scottw@cylant.com)
Date: 10/31/02 

Date: Thu, 31 Oct 2002 14:03:11 -0800
From: Scott Wimer <scottw@cylant.com>
To: focus-ids@securityfocus.com

Raistlin wrote:
> Even if there were no false alarms, something that automatically cuts in and
> prevents communication has an astounding potential to become the worst
> Denial-of-service tool on the market...
>
> It is really difficult to implement an AI engine clever enough to understand
> which attacks are using the prevention feature to actually cause harm
> _through_ the IPS itself.

One way to do this is by implementing meta monitoring of the IPS tools
themselves -- looking for patterns of activity in the counter-measures
applied by the IPS. This won't let you prevent a few mis-applied
counter-measures, but it should be able to substantially mitigate the
risk of several hundred or several thousand "whoopsies".

The behavior of a set of IPS tools should be just as profilable as the
behavior of a set of processes. Except, in this case, what you would
be looking for is not the behavior breaking out of the pattern, but
rather a case where the behavior forms a pattern where previously
there had been mostly just noise. Kind of like a spike of signal
against background radiation.

Regards,
scottwimer

> Stefano "Raistlin" Zanero
> System Administrator Gioco.Net
> public PGP key block at http://gioco.net/pgpkeys 

-- 
Scott M. Wimer, CTO                      Cylant
www.cylant.com                           121 Sweet Ave.
v. (208) 883-4892                        Suite 123
c. (208) 850-4454                        Moscow, ID 83843
There is no Security without Control.