Re: NADS ( was RE: IPS comparison)

From: Stefano Zanero (zanero_at_elet.polimi.it)
Date: 08/31/05

  • Next message: Joseph Hamm: "RE: NADS ( was RE: IPS comparison)" 
    Date: Wed, 31 Aug 2005 10:33:25 +0200
To: Joseph Hamm <jhamm@lancope.com>

    Joseph Hamm wrote:

    >>IMHO comparing pure play behavior detection to IPS is like comparing
    >> apples and oranges.
    >
    > I couldn't agree more. I spoke up because Stefano brought up the topic
    > of anomaly detection.

    I didn't, actually - it was brought up by other, I only felt right to
    chime in on my specific area of research :)

    > One thing that does bother me is how IPS has been
    > painted as a "magic bullet" by vendors (and even the press).

    It's a painful scene we have seen for most other technologies... you
    remember the PKI-fits-all dance, until 3-4 years ago, don't you ? :)

    > (purchase and maintain) a box everywhere you want coverage. Many folks
    > don't even know what NetFlow or sFlow is or how it can be used to
    > provide them much needed security information (and save them money).

    This for sure. I wouldn't, however, limit research on anomaly detection
    to statistical flow analysis. There is a lot more to it (automatic
    correlation of events, unsupervised learning on protocol behavior, etc)

    > This allows the NADS to find the piece of network infrastructure closest
    > to the threat (router, switch, firewall, etc.) and take blocking action
    > there in order to quarantine the attack.

    Brrrr. I'm not sure I would like that without a human filter.

    Best,
    Stefano

    Ph.D. Student
    Politecnico di Milano - Dip. Elettronica e Informazione
    www.elet.polimi.it/upload/zanero

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Joseph Hamm: "RE: NADS ( was RE: IPS comparison)"

    Relevant Pages

    • Re: IPS comparison
      ... I just got done testing a number of IPS devices using simple publicly ... anomaly detection is so rare that it's almost unexistant in the ... > with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: IDS evaluations procedures
      ... talking about network anomaly detection? ... What kind of anomaly detection are you trying to test? ... > Find out quickly and easily by testing it with real-world attacks from ... > CORE IMPACT. ...
      (Focus-IDS)
    • Recomended Anomaly Detection Software
      ... I would like to know if there is someone that would recommend a piece of ... software that does a good job at anomaly detection? ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)