RE: The future of ID

From: Kuo, Jimm (Jimmy_Kuo@private)
Date: Sat Oct 13 2001 - 08:50:27 PDT

  • Next message: Kuo, Jimmy: "My AV presentation next month"

    Very intersting.  Replace "IDS" with "AV" and you have another article
    there.
    
    Jimmy
    
    -----Original Message-----
    From: Crispin Cowan
    To: Andrew Plato
    Cc: crime@private
    Sent: 10/12/01 9:50 PM
    Subject: Re: The future of IDS
    
    Andrew Plato wrote:
    
    >Great discussion today. It was very good to hear that the issues of
    >intrusion detection systems (IDS) are getting out there. 
    >
    Folks interested in the future of IDS may want to check out RAID: Recent
    
    Advances in Intrusion Detection http://www.raid-symposium.org/raid2001/ 
    I was there this week, and was on the panel on "Intrusion Tolerance".
    
    >Where do you - and others - see the IDS market going? I am very curious
    >about this out of both capitalistic desires (I want to make $$$ off
    >selling the products) but also from a professional standpoint of how to
    >get the best IDS bang for the buck.  
    >
    In the panel on the future of IDS, there seemed to be a strong consensus
    
    that IDS is an arms race: no single technique will last for long, 
    because the attackers adapt to the detection technique. This is bad, 
    because you can never really depend on your IDS. This is good, because 
    it's full employment for IDS researchers :-)
    
    >Is there something else on the horizon? I've heard this notion of
    mating
    >some advanced artificial intelligence (AI) with IDS - but that seems
    >more Star Trek then reality. 
    >
    The two big questions in IDS research are:
    
        * signature matching vs. anomaly detection:
              * signature detection: characterize all the attacks you know
                of, and bitch when you see them.
              * anomaly detection: characterize "normal" behavior, and bitch
                about everything else.  Has the advantage of catching novel
                attacks, and the disadvantage of throwing a LOT of false
                positives.
        * host vs. network IDS:
              * network IDS: what you're likely used to.
              * host IDS: traditionally uses audit logs, more exotic methods
                may use patterns of behavior such as syscalls
                http://www.cs.unm.edu/~immsec/
                <http://www.cs.unm.edu/%7Eimmsec/>
    
    There are some researchers using AI-ish techniques such as genetic 
    algorithms and neural networks for anomaly detection, but they are not 
    especially effective.  It is hard to get a training data set that is 
    sufficiently diverse that your AI pattern matcher doesn't bitch about 
    benign-but-unusual events.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:23 PDT