RE: Anomaly Based Network IDS

From: Drew Copley (dcopley_at_eEye.com)
Date: 06/23/04

  • Next message: Adam Powers: "Re: Anomaly Based Network IDS"
    Date: Wed, 23 Jun 2004 13:05:02 -0700
    To: "Barry Fitzgerald" <bkfsec@sdf.lonestar.org>
    
    

     

    > -----Original Message-----
    > From: Barry Fitzgerald [mailto:bkfsec@sdf.lonestar.org]
    > Sent: Wednesday, June 23, 2004 11:02 AM
    > To: Drew Copley
    > Cc: Wozny, Scott (US - New York);
    > focus-ids@securityfocus.com; secdistlist@dauncey.net
    > Subject: Re: Anomaly Based Network IDS
    >
    > Drew Copley wrote:
    >
    <snip>

    >
    > I attribute Anomoly based IDS systems to be specialized network
    > profiling. What you're looking for, in that case, is
    > changes/anomolies
    > in the traffic/protocol. If a 0-day drastically changes the
    > nature of
    > network traffic, then the anomoly based IDS *should* pick it up.
    > Knowing this, and taking into account that most new exploits
    > exist for
    > some period of time in the "elite" corners of the black hat
    > realm before
    > ever reaching the skript kiddies, I'm going to go out on a limb and
    > state that it's far less likely that a real 0-day will ever generate
    > significantly abundant anomolies in the network traffic, in
    > particular
    > if it's designed well and if the attacker is careful about how they
    > carry out their attack.

    Being very familiar with the underground for a very long time...

    You are entirely right, and this was what really raised my alarm.

    For most administrators, I do not see much concern here. They are
    not high level targets. There is no big money there, there is no
    potential fame there. (With fame much less of a plausible motive
    for serious hackers, and money much more of a plausible motive as
    the days go by...)

    For a worm zero day, yes, there probably will be alarms raised. But,
    the AV companies will know about it before you, anyway. So, it is
    not much of a concern. But, if someone is singling out target systems,
    someone is plying their way through your network with zero day? You
    would not notice this with this kind of detection agent.

    For everyday worms and hackers? Yes, absolutely.

    It is true that some of the more ingenius attacks out there have
    had essential, stupid flaws. The criminal does one or two things
    right, but he only needs to make one mistake.

    A couple of notes: There are not very many such criminals out there.
    Your everyday script kiddy will not be using zero day anyday soon. Not
    that it is not possible, but merely because if a script kiddy is
    using it -- everyone else already knows about it.

    I won't lie, there is huge money being seen out there in the wild. But,
    unless you are a media outlet, a human rights organization, a financial
    institution, or a government... you are unlikely to see any such
    attacks. And, when they do happen, you will need a lot of tripwires
    in place to see them.

    This means if you want tripwires, you need trips. Stealthing
    one's attack is pretty trivial and a drop in the bucket. Rigging
    and hiding the potential target data is much more valuable in these
    scenarios.

    On anomaly detection, again, I have worked on such projects and
    do work on such projects and I really like the possibilities. I really
    like some of the products out there, as companion products, to
    existing security solutions. The future is bright... and it is
    definitely an intellectually challenging and stimulating area.

    >
    > Consider this point to be exacerbated as anomoly based IDS'
    > become more
    > common and as black hats change their style in order to evade them.
    >
    > What they would be very good at is at picking up new worms and blind
    > scanners - but that's a far cry from a 0-day, unless the attacker
    > decides to use their 0-day on a worm - in which case they're wasting
    > their "golden key".
    >
    > Anomoly detection is just another tool that can be used to learn more
    > about your network, no more, no less... and not a single one
    > of those
    > tools is magic, but they all have a use to those deploying
    > them. Just
    > make sure you know what you're deploying. In my experience,
    > relying on
    > marketing material works against that goal. :)
    >
    > -Barry
    >
    >
    >

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Adam Powers: "Re: Anomaly Based Network IDS"

    Relevant Pages

    • Re: Anomaly Based Network IDS
      ... >Heuristic type technology is surely not limited to the network, ... IDS systems have a place in the infrastructure. ... attacks are they most likely to detect. ... significantly abundant anomolies in the network traffic, ...
      (Focus-IDS)
    • Tech paper on proposed future generation NIDS
      ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
      (Focus-IDS)
    • RE: Intrusion Prevention Systems
      ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
      (Focus-IDS)
    • [Full-disclosure] Re: RLA ("Remote LanD Attack")
      ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
      (Full-Disclosure)
    • RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
      ... The technology sounds interesting but I have doubts regarding the ... If I for example scan for port 80, ... How do you deal with real network problems that prevent legitimate ... put the product in alert mode waiting for an attack? ...
      (Focus-IDS)