IDS mailing list archives

Re: Random IDS Thoughts [WAS: Re: IDS thoughts]

From: "Stefano Zanero" <stefano.zanero () ieee org>
Date: Sat, 31 May 2003 23:29:33 +0200

The fact that most IDS products out there now look the same is based on

the

fact that most companies out there (or the people running them, to be more
precise) know more about making money than designing new technologies.


Applause :-)

statistical-based IDS, ot anomaly-based IDS


Actually, they are not necessarily sinonyms, you know ? Anomaly based IDS
could be, for instance, based on neural algorithms or other adaptive models.

could be beaten by flooding a network with "anomalous" traffic


Rather naive. If you have a product that does not "adapt", this is obviously
not a problem (i.e., you deploy it, you train it, then you "lock" it).
Letting an algorithm learn by itself and still not get fooled by a semantic
drift (this it one of the current names for the effect you described) is not
an easy task, but it can be accomplished by following a scheme such as this:
- get the new data
- check if the new data is "wrong", if it is, fire an alert and do NOT
update
- if the new data is not "wrong", update the model to fit a little better on
the new data

Obviously someone can still sneakily, bit by bit, subvert the training of
the IDS. But it becomes a rather long attack ;-)

Being notified of events as they occur takes less time, as you
only have to deal with the data presented at this time.


In the hope that you won't actually be alerted, say, three times every ten
minutes...

So thinking about all that, I thought of designing a log-based IDS, or

LIDS

for acronym fans.


That's actually already used for Linux Intrusion Detection System kernel
patches :)

I will be looking at LogIDS: looks like a really nice work tough !

Stefano



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------

Current thread:

Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Stefano Zanero (Jun 02)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)
  - RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Roger A. Grimes (Jun 07)
    - RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 07)
- <Possible follow-ups>
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Stefano Zanero (Jun 02)
  - Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Magnus Almgren (Jun 03)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (Jun 03)
- RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Steven Rudolph (Jun 12)
  - RE: Random IDS Thoughts [WAS: Re: IDS thoughts] Mike Lyman (Jun 13)
  - Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Bill Royds (Jun 13)
    - Re: Random IDS Thoughts [WAS: Re: IDS thoughts] oudot laurent (Jun 17)
  - Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Devdas Bhagat (Jun 14)
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] Anton A. Chuvakin (Jun 17)