IDS mailing list archives
RE: How do behavioral/anomaly detection systems learn?
From: "Sasha Romanosky" <sasha_romanosky () yahoo com>
Date: Thu, 5 Feb 2004 19:40:21 -0800
Thanks to everyone who responded. David, You raise a very interesting attack against these systems, that of some one "teaching" the system bad habits. Any idea what sort of conditions might exist to facilitate this, or how one might go about it? Recently, I was listening to a talk on email spam prevention. The system used bayesian filtering to score and discard spam. Users of the system, upon receiving a spam email, could forward it to an internal email account where a script was run that added the email to the spam filter. This works great until "Bob" decides he never wants to see another email from his boss and forwards that to the spam account. Now, auditing and honesty may prevent this in real life, but the threat -- and vulnerabiltiy, remain. Any thoughts on what sort of countermeasures could be used to prevent this in a behavioral IDS or application firewall? That is, how you would go about preventing some one from retraining it? Cheers, Sasha
-----Original Message----- From: david maynor [mailto:david.maynor () oit gatech edu] Sent: Thursday, February 05, 2004 6:44 AM To: Sasha Romanosky Cc: focus-ids () securityfocus com Subject: Re: How do behavioral/anomaly detection systems learn? Depending on the system it can widely vary. Most of these system create a baseline of network traffic and flag on behavior that widely varies from the baseline. This is not the only method, many systems include protocol analysis and rfc compliance. An example of protocol analysis is checking for encrypted tunnels over port 80 by the amount of traffic transfered with out valid HTTP traffic. Your question is more about how they learn. There are two answers to this and neither of them are pretty. One is manual. This means after a certain number of false positives (like a user running an application that was present during the baseline) you would add the traffic pattern to the profile by hand. As everyone knows this is not effective for anything larger than a class C. The second way is through an automated process where a threshold and a time value are set and after a certain amount of time the abnormal traffic behavior becomes part of the offending hosts profile. This means in the future similar traffic will not cause and alarm. There are some provisions in the systems to alert on know bad traffic patterns like fileswapping but you the effectiveness of the device is limited at this point. There are attacks you can do against such a system like a "low slow" attack where someone could do whatever they as long as it is rate limited. Another example is someone who spends the time to "teach" the system bad habits. Simple thing like this are why such systems should be used in conjunction with signature based systems. The ideal product would have a hybrid of both.
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 04)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Konrad Rieck (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? david maynor (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Stefano Zanero (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Sasha Romanosky (Feb 08)
- Re: How do behavioral/anomaly detection systems learn? Ravi (Feb 08)
- <Possible follow-ups>
- Re: How do behavioral/anomaly detection systems learn? Jason Anderson (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Mariusz Burdach (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Teicher, Mark (Mark) (Feb 08)
- RE: How do behavioral/anomaly detection systems learn? Tarek Amr Abdullah (Feb 08)