IDS mailing list archives
Re: IDS vs Application Proxy Firewal
From: Stefano Zanero <zanero () elet polimi it>
Date: Mon, 27 Oct 2008 21:28:11 +0100
Omar Herrera wrote:
Anomaly detection in the end is still a form of blacklisting.
No, actually, it isn't. It's the contrary of it, by definition.
Even if you use general patterns instead of specific ones, you are still doing a match against activity that is known to be bad
Then it is misuse detection, and not anomaly detection. You may wish to refer to Bace's work on intrusion detection for quickly getting to speed with modern research on the area.
introduce higher false postive rates as well. No research will make anomaly detection a better alternative than white lists (from an effectiveness point of view),
You mean, except for the fact that whitelisting, except in some very specific setting, is not a viable approach to manage complex information systems ?
everything else. Within http traffic you can't block all requests, but businesses and individuals might know the characteristics of good inputs and outputs and filter accordingly.
Businesses and individuals do not know anything of the kind. Otherwise, well, they would be doing what you suggest :) Anomaly detection is all about learning automatically "whitelists" of normal activities. I will jump your examples, as they are actually excellent examples of why manually created whitelists are completely unusable in any modern environment.
Sure, some anomaly detection devices try to learn from the environment what is good and bad.
ANY anomaly detector will do that.
In practice you will get only information on what is significantly (e.g. statistically) different from the point where you took your measures.
No, this is not true. You evidently don't know most of the recent research on the subject (which is what Damiano, and I incidentally, tend to do for a living :) )
Bad things that happened at the time of measurement might be legitimized, new good things might be marked as bad.
These are problems that have been widely studied. To claim there's no way around them is false.
Security departments has no excuse to not white list these days in my opinion
Except having an actual, real world network to run, you mean ? White listing is a naive approach, which is perfect only in a very limited setting of drones all doing the same things. In a modern network of empowered users it won't hold for a second. Best, Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS vs Application Proxy Firewal alfredhuger () winterhope com (Oct 24)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Ashish Kamra (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- RE: IDS vs Application Proxy Firewal Kamra, Ashish (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 29)