Re: The future of IDS

From: Crispin Cowan (crispin@private)
Date: Fri Oct 12 2001 - 21:50:52 PDT

Next message: Kuo, Jimm: "RE: The future of ID"

Previous message: Zot O'Connor: "Re: Question about a Warning"
In reply to: Andrew Plato: "The future of IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew Plato wrote:

>Great discussion today. It was very good to hear that the issues of
>intrusion detection systems (IDS) are getting out there. 
>
Folks interested in the future of IDS may want to check out RAID: Recent 
Advances in Intrusion Detection http://www.raid-symposium.org/raid2001/ 
I was there this week, and was on the panel on "Intrusion Tolerance".

>Where do you - and others - see the IDS market going? I am very curious
>about this out of both capitalistic desires (I want to make $$$ off
>selling the products) but also from a professional standpoint of how to
>get the best IDS bang for the buck.  
>
In the panel on the future of IDS, there seemed to be a strong consensus 
that IDS is an arms race: no single technique will last for long, 
because the attackers adapt to the detection technique. This is bad, 
because you can never really depend on your IDS. This is good, because 
it's full employment for IDS researchers :-)

>Is there something else on the horizon? I've heard this notion of mating
>some advanced artificial intelligence (AI) with IDS - but that seems
>more Star Trek then reality. 
>
The two big questions in IDS research are:

    * signature matching vs. anomaly detection:
          * signature detection: characterize all the attacks you know
            of, and bitch when you see them.
          * anomaly detection: characterize "normal" behavior, and bitch
            about everything else.  Has the advantage of catching novel
            attacks, and the disadvantage of throwing a LOT of false
            positives.
    * host vs. network IDS:
          * network IDS: what you're likely used to.
          * host IDS: traditionally uses audit logs, more exotic methods
            may use patterns of behavior such as syscalls
            http://www.cs.unm.edu/~immsec/
            <http://www.cs.unm.edu/%7Eimmsec/>

There are some researchers using AI-ish techniques such as genetic 
algorithms and neural networks for anomaly detection, but they are not 
especially effective.  It is hard to get a training data set that is 
sufficiently diverse that your AI pattern matcher doesn't bitch about 
benign-but-unusual events.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Kuo, Jimm: "RE: The future of ID"
Previous message: Zot O'Connor: "Re: Question about a Warning"
In reply to: Andrew Plato: "The future of IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:23 PDT