Re: Stateful Anomaly Detection Molding

From: Drew Simonis (simonis_at_myself.com)
Date: 10/14/04

  • Next message: Mark Teicher: "Re: Fortinet IDS" 
    To: "Beauford, Jason" <jbeauford@EightInOnePet.com>, focus-ids@securityfocus.com
Date: Thu, 14 Oct 2004 08:38:03 -0500

    >
    > I want to get the groups opinion on the viability of Stateful Anomaly
    > Detection Molding.
    >

    I've not heard the term "Stateful Anomaly Detection" before, but I presume
    you are speaking of what I commonly call network profiling, or, more
    precisely, behavior based anomaly detection. That said...

    > With regards to IDS/IDP products which use S.A.D. as a detection engine,
    > how easy/difficult is it to train the engine to allow malicious traffic.
    > The idea is that these detection engines monitor traffic over a period
    > of time and develop rule sets based on the given flow of traffic.

    This question seems founded on the notion that there is One Way to do this
    sort of monitoring, and I don't think that is a true premise. Most of the
    research and actual implementations I've seen simply model a static view
    of the network and compare with that over time. This could not easily be
    "trained" to accept naughty behavior. Some do use a moving baseline of the
    network, and this could indeed, at least conceptually, be trained. The
    rapidity and effectiveness of the training would likely, however, be based
    on the statistical methods used to construct that baseline, and this is
    not likely to be by one common means.

    > What can the Blackhats of the world due to perpetuate rule set molding
    > of Stateful Anomaly Detection engines to allow malicious traffic through
    > without being detected? How reliable are S.A.D. engines in detecting
    > unwanted traffic?

    Two big questions. One would presume that an effective profiling system
    would detect even the smallest deviations from the norm, and an alert
    analyst would take action. So, unless there was some deviation allowance
    threshold, the attacker would have little room to maneuver. Thats really
    the whole point of profiling, isn't it? As to the reliability, this is
    too product specific to discuss generally, I suspect.

    -ds

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Mark Teicher: "Re: Fortinet IDS"

    Relevant Pages

    • Re: Changes in IDS Companies?
      ... I think that the intrusion prevention space will probably endup ... just like the detection space is. ... > Network intrusion prevention systems are also relatively untested and ... > complete lack of discussion about the downsides of such technologies. ...
      (Focus-IDS)
    • RE: Changes in IDS Companies?
      ... It does intrusion detection with alerting and pattern matching ... IDS is down...but at least your network isn't, ... ::: mode being rolled into Snort) are both good technologies ...
      (Focus-IDS)
    • NADS ( was RE: IPS comparison)
      ... One thing that does bother me is how IPS has been ... great at the perimeter or other "choke points" in the network. ... NADS gives much of the value of traditional network ... that detection by itself is just not enough. ...
      (Focus-IDS)
    • Re: True definition of Intrusion Prevention
      ... >Prevention versus Network Intrusion Detection, ... to be monitoring the integrity of the host's operation. ...
      (Focus-IDS)
    • A Network IPS Proposal (was Definition of Zero Day Protection)
      ... I did a research on Network IPS a while back when the ... > api gating layers and are continuing to greatly ... > implementations have detection properties for zero ... > day attacks. ...
      (Focus-IDS)