Re: Network hardware IPS

From: Stefano Zanero (zanero_at_elet.polimi.it)
Date: 10/06/03

  • Next message: Dave Killion: "RE: Network hardware IPS"
    To: "Dave Killion" <Dkillion@netscreen.com>, <focus-ids@securityfocus.com>
    Date: Mon, 6 Oct 2003 22:32:41 +0200
    
    

    > I hate Marketing spin as much as the next engineer, but with respect, I
    > disagree here entirely.

    Strange - your post actually illustrates, with examples, what I have said ;)
    The only defect is that you consider just one, impossibly simple, attack.
    The real world is totally different.

    There is actually another defect. You think about network based, misuse
    based IDSes: that is but a part of the IDS world. In my vision, the most
    boring part, I might add :)

    > False Positive reduction has nothing to do with Detection Rate.

    It has _everything_ to do with Detection Rate. In the very moment in which
    you define a "strict" signature, you will miss "similar" attacks.

    You have attacks which are inherently polymorph. A trade-off: you risk to
    miss an attack which is slightly different than the standard form ? Or you
    make your signature more generic, thus risking false positives ? Your
    choice.

    You have attacks which can be spread over fragments: do you reconstruct them
    ? If so, how do you do so coherently ? Do you look at packets or at sessions
    ? If the former - you will miss some things. If the latter, you still expose
    yourself to insertion and evasion techniques. Your choices.

    As you change these choices, you will see different shapes take form on that
    ROC curve. Or, if you are less theoretically-minded, you will see a
    different behavior in terms of detection rate and FP rate.

    I don't even talk about statistical, anomaly based algorithms. There, the
    threshold between DR and FP rate is usually a real parameter of the model,
    surprisingly adherent to these observations.

    > Obviously, the real world isn't as cut and dry as this example, but the
    > principles are the same - find something unique to the attack, go for
    > root cause, and get the context as specific as possible. You will
    > maximize detection while minimizing false positives.

    The "as possible" expresses the fact that you actually agree with me, even
    if you don't want to :)

    Please, read my post again: I explained how there is a break-even
    maximization point. BELOW that point, increasing the DR comes at almost no
    cost (in your example, at zero cost - but it's a simplified example, which
    does not make up for the complexity of the network world). ABOVE that point
    you pay a price which gets higher and higher.

    It is a typical problem of engineering to identify roughly that curve, and
    to correctly estimate this point, in order to MAXIMIZE detection rate
    without paying too much in terms of FP.

    I am confident that I explained myself better now.

    Regards,
    Stefano Zanero

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Dave Killion: "RE: Network hardware IPS"

    Relevant Pages

    • A Network IPS Proposal (was Definition of Zero Day Protection)
      ... I did a research on Network IPS a while back when the ... > api gating layers and are continuing to greatly ... > implementations have detection properties for zero ... > day attacks. ...
      (Focus-IDS)
    • RE: Need help from a group of experts. I am not a network expert but I play one on tv.
      ... preventing file attachments alone won't stop all email attacks. ... Sonicwall is a good firewall...but any firewall depends on how well you ... I am not a network expert ... - Precisely Define and Implement Network Security ...
      (Security-Basics)
    • RE: Pre-Scanning for Marketing
      ... The controlling interest of the network has to have a inclination to secure ... vulnerabilities are easily and efficiently identified. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • Re: All China, All The Time
      ...  It's the machines I'm concerned with the attacks coming from those machine. ... machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against ... saying something against the Chinese themselves. ...  In the face of the reality of China's horribly infected network, ...
      (Bugtraq)
    • Re: Evolution of security threats and exploits...
      ... find an exploitable vulnerability accessible from the Internet. ... and neglect security for its sake. ... the internal network of most companies aren't well protected. ... Client side attacks. ...
      (Pen-Test)