Re: Network hardware IPS

From: Stefano Zanero (zanero_at_elet.polimi.it)
Date: 10/06/03

  • Next message: Dave Killion: "RE: Network hardware IPS"
    To: "Dave Killion" <Dkillion@netscreen.com>, <focus-ids@securityfocus.com>
    Date: Mon, 6 Oct 2003 22:32:41 +0200
    
    

    > I hate Marketing spin as much as the next engineer, but with respect, I
    > disagree here entirely.

    Strange - your post actually illustrates, with examples, what I have said ;)
    The only defect is that you consider just one, impossibly simple, attack.
    The real world is totally different.

    There is actually another defect. You think about network based, misuse
    based IDSes: that is but a part of the IDS world. In my vision, the most
    boring part, I might add :)

    > False Positive reduction has nothing to do with Detection Rate.

    It has _everything_ to do with Detection Rate. In the very moment in which
    you define a "strict" signature, you will miss "similar" attacks.

    You have attacks which are inherently polymorph. A trade-off: you risk to
    miss an attack which is slightly different than the standard form ? Or you
    make your signature more generic, thus risking false positives ? Your
    choice.

    You have attacks which can be spread over fragments: do you reconstruct them
    ? If so, how do you do so coherently ? Do you look at packets or at sessions
    ? If the former - you will miss some things. If the latter, you still expose
    yourself to insertion and evasion techniques. Your choices.

    As you change these choices, you will see different shapes take form on that
    ROC curve. Or, if you are less theoretically-minded, you will see a
    different behavior in terms of detection rate and FP rate.

    I don't even talk about statistical, anomaly based algorithms. There, the
    threshold between DR and FP rate is usually a real parameter of the model,
    surprisingly adherent to these observations.

    > Obviously, the real world isn't as cut and dry as this example, but the
    > principles are the same - find something unique to the attack, go for
    > root cause, and get the context as specific as possible. You will
    > maximize detection while minimizing false positives.

    The "as possible" expresses the fact that you actually agree with me, even
    if you don't want to :)

    Please, read my post again: I explained how there is a break-even
    maximization point. BELOW that point, increasing the DR comes at almost no
    cost (in your example, at zero cost - but it's a simplified example, which
    does not make up for the complexity of the network world). ABOVE that point
    you pay a price which gets higher and higher.

    It is a typical problem of engineering to identify roughly that curve, and
    to correctly estimate this point, in order to MAXIMIZE detection rate
    without paying too much in terms of FP.

    I am confident that I explained myself better now.

    Regards,
    Stefano Zanero

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------


  • Next message: Dave Killion: "RE: Network hardware IPS"