Re: Stateful Anomaly Detection Molding

From: Drew Simonis (simonis_at_myself.com)
Date: 10/14/04

  • Next message: Mark Teicher: "Re: Fortinet IDS"
    To: "Beauford, Jason" <jbeauford@EightInOnePet.com>, focus-ids@securityfocus.com
    Date: Thu, 14 Oct 2004 08:38:03 -0500
    
    

    >
    > I want to get the groups opinion on the viability of Stateful Anomaly
    > Detection Molding.
    >

    I've not heard the term "Stateful Anomaly Detection" before, but I presume
    you are speaking of what I commonly call network profiling, or, more
    precisely, behavior based anomaly detection. That said...

    > With regards to IDS/IDP products which use S.A.D. as a detection engine,
    > how easy/difficult is it to train the engine to allow malicious traffic.
    > The idea is that these detection engines monitor traffic over a period
    > of time and develop rule sets based on the given flow of traffic.

    This question seems founded on the notion that there is One Way to do this
    sort of monitoring, and I don't think that is a true premise. Most of the
    research and actual implementations I've seen simply model a static view
    of the network and compare with that over time. This could not easily be
    "trained" to accept naughty behavior. Some do use a moving baseline of the
    network, and this could indeed, at least conceptually, be trained. The
    rapidity and effectiveness of the training would likely, however, be based
    on the statistical methods used to construct that baseline, and this is
    not likely to be by one common means.

    > What can the Blackhats of the world due to perpetuate rule set molding
    > of Stateful Anomaly Detection engines to allow malicious traffic through
    > without being detected? How reliable are S.A.D. engines in detecting
    > unwanted traffic?

    Two big questions. One would presume that an effective profiling system
    would detect even the smallest deviations from the norm, and an alert
    analyst would take action. So, unless there was some deviation allowance
    threshold, the attacker would have little room to maneuver. Thats really
    the whole point of profiling, isn't it? As to the reliability, this is
    too product specific to discuss generally, I suspect.

    -ds

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------


  • Next message: Mark Teicher: "Re: Fortinet IDS"