IDS mailing list archives
RE: Specification-based Anomaly Detection
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Mon, 10 Jan 2005 23:05:07 -0800
All opinions are my own and in no way reflect the views of my employer.
-----Original Message----- From: Stefano Zanero [mailto:zanero () elet polimi it] Sent: Monday, January 10, 2005 12:50 AM To: Ofer Shezaf Cc: focus-ids () lists securityfocus com Subject: Re: Specification-based Anomaly Detection Ofer, list,I agree that anomaly detection is a new-comer to IDS, and inmany casesnot a mature technology. But I think that due to the inherent shortcomings of signatures, it has to be considered seriously.That's one of the lines of the speech I delivered at Black Hat - so I'd say I agree warmly with you :)
Stefano, could you expand on which part you agree with? I'm really confused to think that you would agree that anomaly detection would be new to IDS.
As one of you mentioned, the main disadvantage of signaturesis zero dayattacksOr highly polimorph attacks, yes.
Or custom-written attacks, which appear to be on the rise and can be developed specifically to avoid anomaly-based methods as well (example being the agobot DDoS function that sends a single GET request and then waits an extended period of time so that it appears to be the slashdot effect instead of a DDoS).
2. On the network layer, network profiling analyzes thenormal behaviorof users (i.e traffic), while in the application layer wealso profilethe normal behavior of the application.Sorry, I don't see how this makes a difference. By definition, a couple (host, port) defines a listening application, so we can profile application-based traffic profiles if we want to.
Really? What about apps that all tunnel over a single port? Are you profiling IE or gmail or IM over HTTP or a SOAP app or an SSL VPN? Are you getting the application that IANA says runs on that port or are you getting SAP using telnet on some random port or Cisco using HTTP on yet another random port?
1. Application Layer Signatures - these signatures detectcontent thatmay indicate an application layer attack. These signaturesare much moreprone to false positives and may be more computationally complex to detect. Simple examples are the word "select" (used in SQL injection) and Win 32 assembly code (buffer overflows). Applicationsignatures areeffective to determine an actionable item once an anomalywas detected. This is basic misuse detection, it does not mean you can deliver an actionable anomaly detection result.
No, but it does give you a much better chance of finding "actionable" (or ignorable) when you don't have someone like Tom to look at the packets. That's the reason why people loved early ISS so much, it didn't matter whether it was right or wrong, just that when it said something was wrong that it also told you what you should do about it. toby -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Specification-based Anomaly Detection Roberto Perdisci (Jan 03)
- Re: Specification-based Anomaly Detection Ravi Kumar (Jan 04)
- Re: Specification-based Anomaly Detection Thomas Ptacek (Jan 06)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 08)
- <Possible follow-ups>
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 10)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- Re: Specification-based Anomaly Detection David Barroso (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 10)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 12)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 12)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 23)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- RE: Specification-based Anomaly Detection Ofer Shezaf (Jan 17)
- Re: Specification-based Anomaly Detection Stefano Zanero (Jan 17)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 17)
- RE: Specification-based Anomaly Detection (infor) urko zurutuza (Jan 19)
- RE: Specification-based Anomaly Detection Kohlenberg, Toby (Jan 20)
(Thread continues...)