RE: Suggestions

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Rishikesh Pande [mailto:rpande () vt edu] 
> Sent: Saturday, May 29, 2004 7:16 AM
> To: Clint Bodungen
> Cc: Thiago dos Santos Guzella; focus-ids () securityfocus com
> Subject: Re: Suggestions
>
> You may want to look at some of the research done by Matthew 
> Williamson  
> at HP labs. They introduced the concept of virus throttling, 
> which does  
> not involve any AI logic but still is *proven* to be effective for  
> known and unknown threats. 

He has some very interesting papers, thanks for the link.

http://www.hpl.hp.com/techreports/2002/HPL-2002-172.html

Quote:
"This paper presents an approach to restricting this high speed
propagation automatically. The approach is based on the observation that
during virus propagation, an infected machine will connect to as many
different machines as fast as possible. An uninfected machine has a
different behaviour: connections are made at a lower rate, and are
locally correlated (repeat connections to recently accessed machines are
likely). "

We utilized exactly this detection system, with api detection features,
in our local honeypot kits. Never read his papers before, it is just
obvious. It is smart and it works.

It doesn't use AI, you are correct, one could say. One could also say
otherwise, depending on one's definition of "AI". Of course, his
throttling
and his detection of virus activity are really two entirely different
things, though. 

http://www.hpl.hp.com/personal/Matthew_Williamson/publications.htm

Throttling seems to be how he handles virii, or more specifically,
worms,
whereas he detects them from their spreading mechanism. (I have always
been against the grain and felt that slow, stealthy worms are far more
dangerous then fast, "warhol" type of worms, personally).

This is just for worm behavior, it might be noted. It is a bit like port
detection for trojans. Such a model might be adapted to PE infecting
worms, though at that stage you would probably be needing to do some
api hooking for detection, anyway. 

It is effective because of the frequency of attacks of the same
old worms and because they all are in such a hurry to propagate wildly.



> Of course, there are ways of flying under  
> the radar, but then the effectiveness of the worm will decrease.

I have always disagreed with mainstream thought that visible worms
are the most dangerous.

I understand their appeal.

Historically, stealth and destruction tend to go together. Genghis
Khan was able to destroy some pretty cities because of stealth and
misdirection. The end product may have appeared all "shock and awe",
but that was only possible because of stealth.

Fundamentally, stealth and destruction go together... so it should
be considered an inevitable - if not always actual - component
of protection.


> Though I personally like the concept of A.I. being used for 
> intrusion  
> prediction, I have not seen a good prediction logic yet. 
> Though it may  
> simply be the task of putting it all together and coming up with a  
> better system by simply borrowing from several different ideas.
> Rishi
>
> On May 27, 2004, at 6:33 PM, Clint Bodungen wrote:
>
> > I'm involved in the same sort of project and we're using 
> the idea of a
> > product from Q1 Labs called QRadar (www.q1labs.com) as our 
> foundation  
> > and
> > expanding upon it.  It uses network behavioral/anomaly analysis to  
> > determine
> > whether or not an attack or worm propagation is immanent.   
> > Unfortunately, it
> > stops short because it focuses mainly on network traffic 
> trends and  
> > only has
> > limited packet analysis.  One has to be able to monitor both network
> > statistics as well as complete packets and TCP sessions.  
> The problem  
> > with
> > this is that it becomes a resource nightmare if you intend 
> to track a  
> > large
> > amount of TCP sessions for a lengthy amount of time.  A 
> true Hybrid  
> > solution
> > would work best because you must have a way to determine 
> whether or  
> > not the
> > anomaly is a known or unknown threat.  Obviously, the known 
> threats  
> > will be
> > identified by a signature.  Once a signature matches it can be  
> > discarded and
> > save resources.  Analyzing the new, unknown anomaly is 
> where the AI  
> > kicks
> > in.  When it detects an anomaly and starts analysis it has 
> to determine
> > whether it is in fact malicious activity or something like 
> standard  
> > network
> > performance issues.  That in itself would almost have to be somewhat
> > signature based on the backend somewhere in the AI 
> algorithms wouldn't  
> > it?
> > Another aspect we are looking at is how to develop the 
> algorithms for
> > detecting convoluted attacks such as worms or exploits that use  
> > polymorphic
> > code.  Any suggestions on that as well?
> >
> > -Clint
> >
> >
> > ----- Original Message -----
> >
> > Hi there,
> >
> > I am taking part in a research project on artificial 
> inteligence, and  
> > my
> > objective is to create a IDS (possibly hybrid), capable of 
> detecting  
> > attacks
> > never seeing before (by using some artificial inteligence 
> algorithms).
> > I would like to hear suggestions on which aspects of 
> network trafiic  
> > should
> > I
> > focus on ...
> > Thanks in advance.
> > -- Thiago dos Santos Guzella
> > Linux User #354160
> > UIN 13465286
> --------------------------------------------------------------
> --------- 
> > ----
> --------------------------------------------------------------
> --------- 
> > ----
>
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------