IDS mailing list archives
Re: Definition of Zero Day Protection
From: Stefano Zanero <zanero () elet polimi it>
Date: Tue, 10 Aug 2004 16:15:17 +0200
Drew Simonis wrote:
As mentioned, do we consider them working if, at 100% malicious detection,they lump in 20% non-malicious false positive?
As usual, there is a trade off between false positives and detection rate, and _usually_ this trade off is such that you can grow up to, say, 80 or 90% of DR incurring in a small number of FP (say, 10%), and then all of a sudden you hit a "hard" barrier and in order to catch the remaining <little number> of attacks, you have to accept <a hell more> false positives.
So, the question is: what are these systems good for ? they are good for complementing misuse based, non-zero-day catching systems, so even a 20% detection rate would be "good", since it's 20% _more_ than what was previously done. We can thus stay in the "easy" area of the tradeoff between detection and false positives.
I'd also like to add, responding to other posts, that it is not necessarily true that anomaly detection on the networks means just detecting "one megabit per second of odd dns request". Anomaly detection CAN go as far as detecting a single anomalous packet. The fact that such systems are still in research phase and that you cannot buy them yet is another problem entirely, but they do exist. See my Black Hat presentation for hints about them.
Regards, Stefano -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: Definition of Zero Day Protection, (continued)
- RE: Definition of Zero Day Protection Joshua Berry (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Drew Copley (Aug 10)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Johnny Calhoun (Aug 16)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Stefano Zanero (Aug 17)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 17)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- RE: Definition of Zero Day Protection Drew Simonis (Aug 10)
- Re: Definition of Zero Day Protection Stefano Zanero (Aug 11)
- Re: Definition of Zero Day Protection hidsbr (Aug 10)
- RE: Definition of Zero Day Protection Joseph Hamm (Aug 11)