IDS mailing list archives
RE: Current state of Anomaly-based Intrusion Detection
From: "SecurIT Informatique Inc." <securit () iquebec com>
Date: Fri, 04 Mar 2005 09:46:40 -0500
I have to agree with Frank here. The whole debate about IDSs today remind me a lot of the debates around the firewalls at the end of the 90's. Part of the problem could be the industry's fault, always touting any new technology as the ultimate silver bullet. As a result, a strong part of the market starts buying these technologies under a false sense of security (thinking that their problems are all solved), and when said technology fails (because of design flaw, misuse, misconfiguration, etc.), then that technology is being blamed for being non-working.
On the other hands, business owners/managers, and their admins, are too often just too happy to put all their security posture in the hands of a few security devices, without necessarily applying the needed configuration and maintenance to get it working properly. Combining these two factors together leads to the situation described by Frank: people putting too much responsabilities in the hands of their IDS software for identifying "abnormal" traffic.
In the light of all this, I think that people should more and more considre IDS as a number of strategies (implemented as software and hardware) to detect intrusions, rather than some specific piece of software relying on a single detection method. But by supplementing the admins with more reliable and more deversified data about the network's activity, and by supplying the means of treating all that data in an effective manner for the staff, I think that someone can effectively improve his IDS conditions on his network.
My 2 cents. Adam Richard At 11:14 PM 01/03/2005, Frank Knobbe wrote:
On Mon, 2005-02-28 at 08:56 -0800, Andrew Plato wrote: > This all depends on your definition of an "anomaly" detection engine. > I would say that anything that establishes "norms" for protocols or > traffic is, in essence, an anomaly detection system. Howdy Andrew, yeah, an anomaly is the difference between the detected traffic and what is considered "norm". Norm can be any of those that Jose listed: Statistical, spec based, relational, or behavioral. (I'm replying to your email because it summed it up so nicely ;) However, I think a fifth one should be added. When alerting on an "anomaly" that differs from "norm", I prefer to alert on "Knowledge" or "Expectation". That is simply, observing traffic and comparing it to what the administrator/operator of the network knows and expects. Any deviation can be considered an anomaly and is worth reporting. Realistically, that is probably a mix of described relation and described behavior. I say "described" to make clear that it is not "learned" by the IDS itself. It is described by the administrator. As such, it is the admins expectation of data flows that is described to the IDS. The IDS will watch traffic and alert on deviations -- those things that the admin didn't expect. Perhaps profiling it in this light may appear silly to some, but I think it highlights one important fact -- we've been giving the IDS too much authority, especially in self-learning IDSes. The IDS by itself does not know if certain traffic patterns should be there or not, are valid or not, or are hostile or not. I think we have delegated certain decisions away from the admin and to the IDS. This is fine and good for "known bad", but not for "abnormal". If traffic can be classified as "known bad" and "known good", certainly there is also "unknown". It seems that most signature and protocol based IDSes only watch for "known bad". The "unknown" part is detected by most anomaly based systems. But unknown to who? The IDS or the admin? I think leaving the IDS to make assumptions about "unknown" is bad practice. Any "unknown" should be alerted to the admin so that he can follow up and investigate that, and by doing so converts it from "unknown" to "known", either "good" or "bad". That can only be done if the admin defines "normal", not the IDS. Cheers, Frank (not authoritatively or scientifically speaking, but musing about anomaly detection on the couch...)
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.7 - Release Date: 01/03/2005 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Current state of Anomaly-based Intrusion Detection Göran Sandahl (Feb 28)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Chris Keladis (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 06)
- Re: Current state of Anomaly-based Intrusion Detection Adam Powers (Mar 04)
- Re: Current state of Anomaly-based Intrusion Detection Jose Nazario (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection security.feeds (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Orit Vidas (Mar 09)
- <Possible follow-ups>
- RE: Current state of Anomaly-based Intrusion Detection Andrew Plato (Mar 01)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection SecurIT Informatique Inc. (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Frank Knobbe (Mar 02)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 02)
- Re: Current state of Anomaly-based Intrusion Detection Thomas Ptacek (Mar 06)
- RE: Current state of Anomaly-based Intrusion Detection Gunnoe, Jason (Mar 06)