Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 050642.html (Request Expert securityfocus.com Support)

Re: Random IDS Thoughts [WAS: Re: IDS thoughts]

From: Stefano Zanero <stefano.zanero(at)ieee.org>
Date: Sat May 31 2003 - 17:29:33 EDT

> The fact that most IDS products out there now look the same is based on
the
> fact that most companies out there (or the people running them, to be more

Applause :-)

> statistical-based IDS, ot anomaly-based IDS

Actually, they are not necessarily sinonyms, you know ? Anomaly based IDS could be, for instance, based on neural algorithms or other adaptive models.

> could be beaten by flooding a network with "anomalous" traffic

Rather naive. If you have a product that does not "adapt", this is obviously not a problem (i.e., you deploy it, you train it, then you "lock" it). Letting an algorithm learn by itself and still not get fooled by a semantic drift (this it one of the current names for the effect you described) is not an easy task, but it can be accomplished by following a scheme such as this: - get the new data
- check if the new data is "wrong", if it is, fire an alert and do NOT update
- if the new data is not "wrong", update the model to fit a little better on the new data

Obviously someone can still sneakily, bit by bit, subvert the training of the IDS. But it becomes a rather long attack ;-)

Do you need help?X

> Being notified of events as they occur takes less time, as you

In the hope that you won't actually be alerted, say, three times every ten minutes...

> So thinking about all that, I thought of designing a log-based IDS, or
LIDS
> for acronym fans.

That's actually already used for Linux Intrusion Detection System kernel patches :)

I will be looking at LogIDS: looks like a really nice work tough !

Stefano


INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Mon Jun 2 20:53:20 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT

Do you need more help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library