Re: Anomaly Based Network IDS

From: Thiago dos Santos Guzella (thiagoguzella_at_yahoo.com.br)
Date: 06/27/04

  • Next message: Sam Heshbon: "Are sophisticated attacks just FUD?" 
    To: "Bharat Bhushan" <bharatb@hotmail.com>
Date: Sun, 27 Jun 2004 14:31:26 -0300

    Do you have any results available for discussion??
    I am taking part in a similar project (artificial immune systems), am it would
    be interesting to see what do you have...

    Em Qui 24 Jun 2004 13:14, Bharat Bhushan escreveu:
    > Is any one using a Genetic Algorithm based IDS? I developed a IDS for my
    > masters degree that was based on Immunogenetic approach. i.e. replicating
    > the human immune system to detect anomaly in network traffic data using
    > Genetic Algorithm. The results weren't too bad. I am happy to discuss my
    > project in detail if anyone is interested.
    >
    > I am wondering if there any 'real' products out there that use GA.
    >
    >
    > Regards,
    >
    > - Bharat.
    >
    > >From: Ramoni <ramoni@databras.com.br>
    > >To: focus-ids@securityfocus.com
    > >Subject: Re: Anomaly Based Network IDS
    > >Date: Wed, 23 Jun 2004 17:31:15 -0300
    > >
    > >In fact, anomaly based IDSs are like rule based ones...
    > >they just create their own rules of "NORMAL" (instead of attack) rules
    > >dinamically.
    > >
    > >Anomaly baed ones fall much more at the false positives and negatives
    > >problems.
    > >
    > >IMHO of course.
    > >
    > >On Tuesday 22 June 2004 18:32, Wozny, Scott (US - New York) wrote:
    > > > Semantics aside I find the smoke and mirrors aspect of this technology
    > > > fascinating. The bottom line is this. The heart of anomaly based IDS
    > > > is to tell you that your network traffic patterns (from what you're
    > > > feeding the device) are noticeably different today than they were
    > > > yesterday (or an hour ago or 5 minutes ago or whatever). While this is
    > > > an interesting value proposition it's an addition to, not a replacement
    > > > for, classical signature based IDS (or IPS if you're brave) that those
    > > > in the trenches rely upon every day to tell them who is knocking at
    > > > their doors and who brought in an infected laptop from home that's
    > > > raising hell on the intranet. If an exploit is released for a
    > > > vulnerability that isn't known in the security community (specifically
    > > > the signature-based vendors) yet then anomaly based IDS does have a
    > > > real opportunity to be your first warning that something is amiss. But
    > > > keep in mind that YOU need to tell it how sensitive to be to change and
    > > > YOU need to tell it how loud to yell when it sees something it finds
    > > > odd and YOU are going to need to baby-sit it.
    > > >
    > > > My 2 cents,
    > > >
    > > > Scott
    > > >
    > > > -----Original Message-----
    > > > From: Drew Copley [mailto:dcopley@eEye.com]
    > > > Sent: Tuesday, June 22, 2004 2:18 PM
    > > > To: Aaron Jordan; focus-ids@securityfocus.com; secdistlist@dauncey.net
    > > > Subject: RE: Anomaly Based Network IDS
    > > >
    > > > > -----Original Message-----
    > > > > From: Aaron Jordan [mailto:aaronj0rdan23@hotmail.com]
    > > > > Sent: Friday, June 18, 2004 2:14 PM
    > > > > To: focus-ids@securityfocus.com; secdistlist@dauncey.net
    > > > > Subject: Re: Anomaly Based Network IDS
    > > > >
    > > > > My company uses Lancope's StealthWatch for anomaly based
    > > > > network IDS. We
    > > > > are quite pleased with its ability to detect zero-day
    > > > > undocumented attacks
    > > > > on our network.
    > > >
    > > > Guys, as a "bugfinder", I have to tell you this... this vendor
    > > > is misleading you in regards to "zero day".
    > > >
    > > > >From their site, the first bullet point they have up?
    > > >
    > > > "Defeat Zero-Day Attacks"
    > > >
    > > > That is extremely misleading.
    > > >
    > > > Here's an unbiased article:
    > > > Crying wolf: False alarms hide attacks
    > > > http://www.nwfusion.com/techinsider/2002/0624security1.html
    > > >
    > > > But, that guy was not even trying to address a claim like
    > > > "defeat zero day attacks". This crafty claim... for one
    > > > thing, it is extremely unlikely they have ever even found
    > > > one single zero day attack.
    > > >
    > > > [Unless they count putting in bugs in their own products,
    > > > then "finding" it.]
    > > >
    > > > "Zero Day" attacks... "zero day" means a newly discovered
    > > > security vulnerability not yet shown to the public. It is
    > > > impossible to know what it may be. Anyone that has spent much
    > > > time looking at past security bugs knows they could be anything.
    > > >
    > > > "Day One" attacks would involve security vulnerabilities just
    > > > released to the public. It used to be something like "Day Forty"
    > > > or so that an unknown vulnerability would become a worm. No one
    > > > uses this terminology, exactly, and today the time from bug
    > > > release to attacks is extremely non-static.
    > > >
    > > > Very rarely unfixed bugs which have been disclosed through Full
    > > > Disclosure have been called - with some right - "zero day".
    > > >
    > > > The number of actual "zero day" that anyone is actually familiar
    > > > with are extremely small. A webdav issue in IIS was being used
    > > > against Navy servers early last year. This year a spyware distributor
    > > > just of late who obviously bought some zero day and has been
    > > > using it. That is about it.
    > > >
    > > > Obviously, it is very likely that there is some zero day "floating
    > > > around"... in fact, every single bug finder that posts to Bugtraq
    > > > or Full Disclosure or NTBugtraq has "zero day".
    > > >
    > > > Because that is what their bugs are before they disclose them to
    > > > anyone.
    > > >
    > > >
    > > > There is a trend, there are more bugfinders today then there was
    > > > yesterday... but when I say "bugfinders" I do not mean "everyday QA".
    > > > There
    > > > are hundreds, not thousands. And when I say "hundreds", I include
    > > > those that do not have much experience and whose skills are
    > > > lacking -- but they have potential.
    > > >
    > > > People can be trained to find security vulnerabilities. An
    > > > accomplished assembly language programmer could easily break into
    > > > the world of cracking and hacking and learn his way around after
    > > > a few years. Very ambitious individuals could learn their way
    > > > around. But, the field is well hidden from public view -- the
    > > > "script kiddy" is the glamorous hacker of media fame... and even
    > > > when one does understand this is the "core", one is a long way
    > > > from spending endless nights trying to find a high quality security
    > > > bug which has been missed by teams of QA and devel working for
    > > > years.
    > > >
    > > > These things said... someone with a "zero day" attack has an
    > > > unknown attack. A "golden key" to the systems, I like to say. There
    > > > are possibilities to find large classes of "zero day" attacks. We
    > > > do this in SecureIIS and have instituted the same functionality
    > > > in our upcoming Blink. We have had a lot of "zero day" with which
    > > > to test and design and develop these products.
    > > >
    > > > Rule based API guards can do a lot to protect against true
    > > > zero day attacks. Class based protection schemes can do a lot
    > > > against true zero day attacks. More importantly, these schemes
    > > > can help secure systems against new variants of known vulnerabilities
    > > > including every manner of virus or trojan... which is the most
    > > > common type of attack, and therefore, the most plausible.
    > > >
    > > > It is true the real "nightmare scenarios" of computer security
    > > > do involve zero day. There are likely some nightmare scenarios
    > > > of this caliber going on right now. I know I am aware of some over
    > > > the years. But, these scenarios almost always involve extremely
    > > > important "target" systems such as military, diplomatic, primary
    > > > routing systems, or extremely senstive corporate systems.
    > > >
    > > > A very likely scenario, however, is a zero day worm which is
    > > > wildly propagated in the next few years... one made by individuals
    > > > who really want to destroy systems, like the Witty Worm of late.
    > > >
    > > > But, this does not remove the fact that you need to be up on
    > > > everyday attacks which do not utilize "zero day".
    > > >
    > > > Merely writing a new trojan or doing a "new hacking attack" is
    > > > a far cry from the true and generalized definition of the term
    > > > "zero day". If marketers are trying to pass off such definitions
    > > > as accurate, they are being highly deceptive.
    > > >
    > > > > We're easily able to see into our network to
    > > > > examine what
    > > > > is actually happening on it versus what should be happening on it.
    > > > >
    > > > > We evaluated a few of the other products in this space and
    > > > > decided on this
    > > > > one since it was the easiest to use.
    > > > >
    > > > > --my $.02
    > > > >
    > > > > AJ
    > > > > "802.3"
    > > > >
    > > > > _________________________________________________________________
    > > > > Is your PC infected? Get a FREE online computer virus scan
    > > > > from McAfee(r)
    > > > > Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
    > > > >
    > > > >
    > > > > --------------------------------------------------------------
    > > > > -------------
    > > > >
    > > > > --------------------------------------------------------------
    > > > > -------------
    > > >
    > > > -----------------------------------------------------------------------
    > > >- ---
    > > >
    > > > -----------------------------------------------------------------------
    > > >- ---
    > > >
    > > >
    > > >
    > > >
    > > > This message (including any attachments) contains confidential
    > >
    > >information
    > >
    > > > intended for a specific individual and purpose, and is protected by
    > > > law. If you are not the intended recipient, you should delete this
    > > > message.
    > >
    > >Any
    > >
    > > > disclosure, copying, or distribution of this message, or the taking of
    > >
    > >any
    > >
    > > > action based on it, is strictly prohibited.
    > >
    > >--------------------------------------------------------------------------
    > >-
    > >
    > >
    > >--------------------------------------------------------------------------
    > >-
    > >
    > >--------------------------------------------------------------------------
    > >-
    > >
    > >--------------------------------------------------------------------------
    > >-
    >
    > _________________________________________________________________
    > Want to block unwanted pop-ups? Download the free MSN Toolbar now!
    > http://toolbar.msn.co.uk/
    >
    >
    > ---------------------------------------------------------------------------
    >
    > --------------------------------------------------------------------------- 

    -- 
Thiago dos Santos Guzella
Linux User #354160
UIN 13465286
"Software is like sex: it's better when it's free." Linus Torvalds 
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Sam Heshbon: "Are sophisticated attacks just FUD?"