A Network IPS Proposal (was Definition of Zero Day Protection)

[Shaiful <shaifuljahari () yahoo com>]

Hi all,

I did a research on Network IPS a while back when the
network IPS term is unknown and when you mentioned
blocking virus at the network layer, people think that
you are smoking crap. Anyway, time passed by and it
good to see immature technology like IDS growing up.

Detecting unknown attack is the holy grail of network
security but if somebody know how to do it he might be
crazy working on network security, he'll better off
working on stock exchange, since he can predict the
rising and declining stock values, therefore, buy/sell
at the right moment and becomes millionaire over night
;-)

I think the best we can do, since we *CANNOT* predict
the future is to have some 3rd party system like
Honeycomb to trap JUST KNOWN attack and automatically
generate the IPS signature and block the subsequence
attack based on the similar pattern.  Thus, any worm
variance, e.g., Sasser A,B,D,E (until Z) can be easily
stopped with low false positive.

Regards,
Shaiful,
Universiti Putra Malaysia.

--- Drew Copley <dcopley () eEye com> wrote:

> Apart from semantical differences over the term
> "host based", there are
> a wide range of heuristic security applications
> which provide some
> degree of protection from zero day.
>
> We have, for instance, long used a "class based"
> system, in SecureIIS,
> which we have greatly expanded in Blink. We have
> further added multiple
> api gating layers and are continuing to greatly
> expand in this
> direction. 
>
> Systrace is an example, among many, of api
> protection systems. There are
> many products in this class. Most of them have
> limited but realistic
> effectiveness against unknown vulnerabilities. How?
> They limited their
> potential destructive influence.
>
> In fact, one of our researcher's [now former] did a
> presentation at
> Black Hat on breaking some of these systems
> (Seattle). He showed how a
> payload could take over a process and spawn new
> threads, creating an
> effective sniffer and trojan agent which by all
> appearances to most api
> protection systems would be the invaded process --
> iis.
>
> Regardless, these systems remain our best direction
> for complete
> protection. The hardest trick is not in hardening
> the system -- it is in
> allowing the system to be completely hardened and
> regulated and to have
> it still be usable.
>
> Heuristic AV has long been in the running, though,
> and many if not most
> implementations have detection properties for zero
> day attacks. AV
> generally will not be designed to detect all
> attacks. The malformed
> packet coming in, might not be detected, the
> resulting shell code may
> be. But, the webpage, email, or IM is very likely to
> be detected. 
>
> Heuristic AV has many problems, however. It is "work
> in progress". I
> made such an agent -- it profiled binaries by apis
> they used and certain
> signatures, such as those for encrypted or packed
> binaries. Effectively,
> I was trying to do what I did manually. And, to some
> success. The
> reasoning is rather simple, if you look at your most
> common trojan and
> malware agents and look for the commonality there.
> Granted, many virii,
> unfortunately, do not have any such common api
> traits... and it is
> always possible not to use typical apis or apis at
> all to cause damage.
>
> BTW, I mentioned "class based systems". What is
> that? Ultimately, it
> fits in with the "commonality" I was just
> mentioning. There are certain
> commonalities we can find in shell code, in virii,
> in trojans. I like to
> call them "chokepoints", and I like to "gate" these
> chokepoints. 
>
> For instance, spyware. A vast majority of spyware
> uses the BHO registry
> key. Many use the run registry key on top of that.
> One can harden these
> keys and typically detect and therefore eliminate
> every spyware which
> attempts to use either of these keys -- they are
> rare enough outside of
> the malware world that one might do this.
>
> There are many such chokepoints or commonalities to
> be found which can
> be used as a guide. The trick is to reduce false
> positives and keep the
> system usable. 
>
> **FYI, I will be unable to answer replies, no
> offense intended to anyone
> that might do this. I believe this post was
> comprehensive.
>
>
>
>
> > -----Original Message-----
> > From: Teicher, Mark (Mark)
> [mailto:teicher () avaya com] 
> > Sent: Monday, August 09, 2004 12:15 PM
> > To: Drew Simonis; focus-ids () securityfocus com
> > Cc: Seanor, Joseph (Joe)
> > Subject: RE: Definition of Zero Day Protection
> >
> > Drew,
> >
> > What host based products would fit this category
> based on the 
> > definition
> > ??  Do they really work ??
> >
> > -----Original Message-----
> > From: Drew Simonis [mailto:simonis () myself com] 
> > Sent: Monday, August 09, 2004 01:07 PM
> > To: Teicher, Mark (Mark);
> focus-ids () securityfocus com
> > Cc: Seanor, Joseph (Joe)
> > Subject: Re: Definition of Zero Day Protection
> >
> >
> > ----- Original Message -----
> > From: "Teicher, Mark (Mark)" 
> > Date: Sun, 8 Aug 2004 19:47:48 -0600
> > Subject: Definition of Zero Day Protection 
> >
> > > What is Zero Day Protection
> >
> > It is, as you stated, another marketing blurb, but
> it isn't just that.
> > Usually, this bit of jargon is applied to a 
> > detection/prevention system
> > that uses things like heuristic detection
> techniques, behavior based
> > detection, protocol anomoly or some other advanced
> methods.  
> > These allow
> > the activity to be blocked or alerted on, as
> opposed to the specific
> > event.  
> >
> > So, for example, a worm can be characterized by
> certain 
> > activity.  Say,
> > opening connections to lots of remote hosts in a
> short period of time.
> > This behavior can be blocked (e.g. the process can
> be killed) even
> > without knowing that it was WormX.  
> >
> >
> > hth,
> > -Ds
--------------------------------------------------------------
> > ------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with
> real-world 
> > attacks from CORE
> > IMPACT.
> > Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_04
> > 0708 to learn more.
--------------------------------------------------------------
> > ------------
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with
> real-world attacks from CORE
> IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
>



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------