Hosting Provided By

Re: Views and Correlation in Intrusion Detection

From: Blake Matheny <bmatheny(at)mkfifo.net>
Date: Wed Jun 18 2003 - 09:18:19 EDT

I think part of the problem here, is defining what the usage scope of usage for a NIDS should be. I believe (and I'm not alone here) that a NIDS is part of an overall ID system. However, I think most researchers and companies are missing the point that what we need is not a better mouse trap, but rather a clean room with the existing trap. Here I'm simply implying that a clean room would be an ideal environment to pick up other 'evidence' of the presence of a mouse, regardless of whether or not the mouse trap works. I don't mean to say that ID (host and network) systems aren't in need of improvement, because they are. What I do mean to say, is that existing implementations currently can't be used effectively because other, pertinent information isn't available.
Research has been done (and lots of it) on correlation techniques. However many of these techniques completely ignore the fact that we live in a heterogenous world where data simply isn't _available_ to the system. People have spent time writing custom conversion filters (for instance, Syslog to IDMEF). However, writing custom transformations have two huge problems. First, it simply doesn't scale. Second, and certainly tied to the first, is the semantic problem that seems to often get ignored. The way that the system and application developers understand the information, is rarely the same as the person using the system.
I think the question we have to ask ourselves, is are we spending too much time trying to build a better mouse trap?

Cheers,

-Blake

Whatchu talkin' 'bout, Willis?
> -----BEGIN PGP SIGNED MESSAGE-----

-- 
Blake Matheny           "... one of the main causes of the fall of the
bmatheny@mkfifo.net      Roman Empire was that, lacking zero, they had
http://www.mkfifo.net    no way to indicate successful termination of
http://ovmj.org/GNUnet/  their C programs." --Robert Firth

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Received on Wed Jun 18 15:44:22 2003

This message: [ Message body ]
Next message: Michael Sierchio: "Re: Recent anti-NIDS Gartner article"
Previous message: Paul Schmehl: "Re: [security-elvandar] Re: Rather funny; looks like page defacement to me"
In reply to: Stephen P. Berry: "Re: Views and Correlation in Intrusion Detection"
In reply to David Markle: "RE: Views and Correlation in Intrusion Detection"
Next in thread: Rob Shein: "RE: Views and Correlation in Intrusion Detection"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:14 EDT