Re: IDS thoughts

From: Mike Frantzen <frantzen(at)nfr.net>
Date: Tue May 20 2003 - 15:33:38 EDT

> You're making the assumption that "anomaly detection" means "protocol

Guilty as charged. "rule-based" has some false connotations but yes.  

> "Anomaly detection", in the IDS context, means "detecting threats by

I haven't seen any sound theory on dynamically learning the "norm" of a network that learns more than connection/flow patterns. I would dispute the utility of an IDS that couldn't tell me that the CEO's laptop was trojaned while he was futzing around at home and someone set up a store and forward attack that just took over the company IMAP server when he got back into the office. The connection isn't anomolous, the payload was. But Arbor may have found a secret sauce. I donno, haven't signed the NDA. From what I have heard, the pure connection/flow anomaly detection engines were trying to enter the IDS space by partnering with a conventional IDS and correlating alerts with the anomalous flows.

Again we see a hybrid approach. Will detect less new or permuted attacks than protocol anomaly detection but will not have the type of false positives endemic to pure protocol anomaly detection.

Can you do me a favor and go whack Dug, Aaron, Eric, and Jose on the back of their heads for not going to the Calgary hackathon. Feel free to blame me ;-)

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28

---

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

---

Received on Tue May 20 15:40:22 2003