Re: Anomaly Based Network IDS

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 06/23/04

  • Next message: Ramoni: "Re: Anomaly Based Network IDS" 
    Date: Wed, 23 Jun 2004 14:01:33 -0400
To: Drew Copley <dcopley@eEye.com>

    Drew Copley wrote:

    >
    >
    >There are several chances to "find" zero day. This is not a
    >semantical issue, at all. It is a very critical issue.
    >
    >If people are clutching to smoke and mirrors, they will find
    >themselves in deep water when the ship is sinking. To continue
    >with the analogy.
    >
    >
    >
    >
    <snip>

    >You are right, there is some wild hope, and the technology is advancing.
    >Heuristic type technology is surely not limited to the network, AV
    >companies
    >have been researching here for years... as is clearly shown with
    >some patent searches.
    >
    >People should remember that while this technology has potential
    >and even some real world usage that it is not a "different planet"
    >removed from signature technology in the first place... there will
    >always be a required "learned" data set from which to deal with
    >"unknown data" so as to make a qualitative comparison... In one
    >scenario,
    >you have a more flexible situation, with end users training the
    >system individually to their own network... in another, you have a
    >more generic system with end researchers training the data in the
    >form of writing signatures.
    >
    >
    >

    I think that we can boil this whole thing down to one very generalized
    point:

            Those who know the lay of the land better, will have a better
    time defending it.

    That applies to network traffic profiling, host intrusion detection,
    host engineering, network layout, and system sizing and design. The
    general rule being the more you know, the better off you are. But, the
    problem with that being that there's so much to know, that it's
    impossible to know enough and be able to analyze it by yourself.

    Enter IDS/IPS systems.

    No matter how many false positives you get, you're still processing less
    data than if you were to take a sniffer to the network and analyze one
    packet at a time by hand. In this way, both signature and anomoly based
    IDS systems have a place in the infrastructure. I think that the
    missing variable in this conversation regarding whether anomoly based
    IDS systems can detect 0-day attacks is a discussion of what type of
    attacks are they most likely to detect.

    I attribute Anomoly based IDS systems to be specialized network
    profiling. What you're looking for, in that case, is changes/anomolies
    in the traffic/protocol. If a 0-day drastically changes the nature of
    network traffic, then the anomoly based IDS *should* pick it up.
    Knowing this, and taking into account that most new exploits exist for
    some period of time in the "elite" corners of the black hat realm before
    ever reaching the skript kiddies, I'm going to go out on a limb and
    state that it's far less likely that a real 0-day will ever generate
    significantly abundant anomolies in the network traffic, in particular
    if it's designed well and if the attacker is careful about how they
    carry out their attack.

    Consider this point to be exacerbated as anomoly based IDS' become more
    common and as black hats change their style in order to evade them.

    What they would be very good at is at picking up new worms and blind
    scanners - but that's a far cry from a 0-day, unless the attacker
    decides to use their 0-day on a worm - in which case they're wasting
    their "golden key".

    Anomoly detection is just another tool that can be used to learn more
    about your network, no more, no less... and not a single one of those
    tools is magic, but they all have a use to those deploying them. Just
    make sure you know what you're deploying. In my experience, relying on
    marketing material works against that goal. :)

                    -Barry

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Ramoni: "Re: Anomaly Based Network IDS"

    Relevant Pages

    • RE: Anomaly Based Network IDS
      ... > I attribute Anomoly based IDS systems to be specialized network ... > significantly abundant anomolies in the network traffic, ... one's attack is pretty trivial and a drop in the bucket. ...
      (Focus-IDS)
    • A Network IPS Proposal (was Definition of Zero Day Protection)
      ... I did a research on Network IPS a while back when the ... > api gating layers and are continuing to greatly ... > implementations have detection properties for zero ... > day attacks. ...
      (Focus-IDS)
    • RE: Need help from a group of experts. I am not a network expert but I play one on tv.
      ... preventing file attachments alone won't stop all email attacks. ... Sonicwall is a good firewall...but any firewall depends on how well you ... I am not a network expert ... - Precisely Define and Implement Network Security ...
      (Security-Basics)
    • RE: Pre-Scanning for Marketing
      ... The controlling interest of the network has to have a inclination to secure ... vulnerabilities are easily and efficiently identified. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • Re: Biometrics
      ... I'd feel safer on an OS designed as such, not as a network client - ... the Internet is a world of strangers. ... Compare this Windows Vista: if someone ... lot of information about attacks from this data. ...
      (microsoft.public.security)