Very intersting. Replace "IDS" with "AV" and you have another article there. Jimmy -----Original Message----- From: Crispin Cowan To: Andrew Plato Cc: crime@private Sent: 10/12/01 9:50 PM Subject: Re: The future of IDS Andrew Plato wrote: >Great discussion today. It was very good to hear that the issues of >intrusion detection systems (IDS) are getting out there. > Folks interested in the future of IDS may want to check out RAID: Recent Advances in Intrusion Detection http://www.raid-symposium.org/raid2001/ I was there this week, and was on the panel on "Intrusion Tolerance". >Where do you - and others - see the IDS market going? I am very curious >about this out of both capitalistic desires (I want to make $$$ off >selling the products) but also from a professional standpoint of how to >get the best IDS bang for the buck. > In the panel on the future of IDS, there seemed to be a strong consensus that IDS is an arms race: no single technique will last for long, because the attackers adapt to the detection technique. This is bad, because you can never really depend on your IDS. This is good, because it's full employment for IDS researchers :-) >Is there something else on the horizon? I've heard this notion of mating >some advanced artificial intelligence (AI) with IDS - but that seems >more Star Trek then reality. > The two big questions in IDS research are: * signature matching vs. anomaly detection: * signature detection: characterize all the attacks you know of, and bitch when you see them. * anomaly detection: characterize "normal" behavior, and bitch about everything else. Has the advantage of catching novel attacks, and the disadvantage of throwing a LOT of false positives. * host vs. network IDS: * network IDS: what you're likely used to. * host IDS: traditionally uses audit logs, more exotic methods may use patterns of behavior such as syscalls http://www.cs.unm.edu/~immsec/ <http://www.cs.unm.edu/%7Eimmsec/> There are some researchers using AI-ish techniques such as genetic algorithms and neural networks for anomaly detection, but they are not especially effective. It is hard to get a training data set that is sufficiently diverse that your AI pattern matcher doesn't bitch about benign-but-unusual events. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:23 PDT