Re: IDS thoughts

From: Stefano Zanero <stefano.zanero(at)ieee.org>
Date: Sun May 18 2003 - 16:19:57 EDT

> There's really not a whole lot else to be done in the IDS market except

You are joking, right ? There's a whole lot of research still open in the IDS field. Just to begin, you are apparently forgetting that there's a whole paradigm of ID, anomaly-based detection, which has just been forgotten by the mainstream development.

In the next few years, while established IDS products will strive to keep up to date their growing signature base, and face increasing performance problems, probably some attention will be returned at that preliminary choice of matching bad_things instead of good_ones.

When it comes to firewalling, we all agree: you just shut down everything very tight, then open up what few ports you actually need. When it comes to privileges and authentication, we do the same thing, and we are quick to point out the error when someone tries to filter out unwanted input, instead than specifying what is the expected one.

Oddly, when we talk about IDS and antivirus software, we blindly accept that there's only one way to do it: by describing what we do NOT want on our system by the mean of signature. Well, this happens to be a BAD idea, even if until now it has given us some satisfactions.

Stefano Zanero

---

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

---

Received on Tue May 20 13:21:43 2003