RE: Specification-based Anomaly Detection

• Previous message: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"
• Maybe in reply to: Roberto Perdisci: "Specification-based Anomaly Detection"
• Next in thread: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• Reply: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 Jan 2005 23:05:07 -0800
To: "Stefano Zanero" <zanero@elet.polimi.it>, "Ofer Shezaf" <Ofer.Shezaf@breach.com>

All opinions are my own and in no way reflect the views of my employer.

>-----Original Message-----
>From: Stefano Zanero [mailto:zanero@elet.polimi.it]
>Sent: Monday, January 10, 2005 12:50 AM
>To: Ofer Shezaf
>Cc: focus-ids@lists.securityfocus.com
>Subject: Re: Specification-based Anomaly Detection
>
>Ofer, list,
>
>> I agree that anomaly detection is a new-comer to IDS, and in
>many cases
>> not a mature technology. But I think that due to the inherent
>> shortcomings of signatures, it has to be considered seriously.
>
>That's one of the lines of the speech I delivered at Black Hat
>- so I'd
>say I agree warmly with you :)

Stefano, could you expand on which part you agree with? I'm really
confused to think that you would agree that anomaly detection would
be new to IDS.

>> As one of you mentioned, the main disadvantage of signatures
>is zero day
>> attacks
>Or highly polimorph attacks, yes.
Or custom-written attacks, which appear to be on the rise and
can be developed specifically to avoid anomaly-based methods as
well (example being the agobot DDoS function that sends a single
GET request and then waits an extended period of time so that it
appears to be the slashdot effect instead of a DDoS).

>> 2. On the network layer, network profiling analyzes the
>normal behavior
>> of users (i.e traffic), while in the application layer we
>also profile
>> the normal behavior of the application.
>Sorry, I don't see how this makes a difference. By definition,
>a couple
>(host, port) defines a listening application, so we can profile
>application-based traffic profiles if we want to.

Really? What about apps that all tunnel over a single port? Are you
profiling IE or gmail or IM over HTTP or a SOAP app or an SSL VPN?
Are you getting the application that IANA says runs on that port or
are you getting SAP using telnet on some random port or Cisco using
HTTP on yet another random port?

>
>> 1. Application Layer Signatures - these signatures detect
>content that
>> may indicate an application layer attack. These signatures
>are much more
>> prone to false positives and may be more computationally complex to
>> detect. Simple examples are the word "select" (used in SQL injection)
>> and Win 32 assembly code (buffer overflows). Application
>signatures are
>> effective to determine an actionable item once an anomaly
>was detected.
>
>This is basic misuse detection, it does not mean you can deliver an
>actionable anomaly detection result.

No, but it does give you a much better chance of finding "actionable"
(or ignorable) when you don't have someone like Tom to look at the
packets. That's the reason why people loved early ISS so much, it
didn't matter whether it was right or wrong, just that when it
said something was wrong that it also told you what you should do
about it.

toby

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Kohlenberg, Toby: "RE: Specification-based Anomaly Detection"
• Maybe in reply to: Roberto Perdisci: "Specification-based Anomaly Detection"
• Next in thread: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• Reply: Stefano Zanero: "Re: Specification-based Anomaly Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: autoblocking many ssh failed logins from the same IP.... ... Defending Against Attacks ... ports can be bombarded with login attempts using common ID/PW ... To the firewall these all look like legitimate packets. ... The simplest defense is to change the port numbers these services ... (freebsd-questions) Re: Grafting a SSH auto-drop chain onto Arnos 1.8.3-RC1 ... > hammering my machine with multiple attacks per second. ... to block those certain places from ever touching your ssh port (if you don't ... the patchomatic-ng and add alot of neat options to iptables. ... have not seen one single ssh attack since I moved my sshd off port 22. ... (comp.os.linux.security) RE: Hacking to Xp box ... restricts most of the attacks that use anonymous connections. ... nessus found port 135 139 ... Audit your website security with Acunetix Web Vulnerability Scanner: ... login pages, dynamic content etc. Firewalls, SSL and locked-down servers ... (Pen-Test) RE: Pen test, tcp/1404 found - advice needed ... That ICA is repeated every 10 seconds or so, ... into the port. ... Up to 75% of cyber attacks are launched on shopping ... > your website for vulnerabilities to SQL injection, ... (Pen-Test) RE: Firewall Activity analysis ... steadily progressing along with anomaly detection at the higher level. ... false positives this is true however that level of false positive can be ... any new attacks that the attacker ... those logs might show up in AIDE, and finally if they crashed the apache ... (Focus-IDS)