Re: RE: The future of IDS

From: Crispin Cowan (crispin@private)
Date: Sun Oct 14 2001 - 14:29:46 PDT

  • Next message: Williams, Jaymes: "RE: mail list concerns"

    Kuo wrote:
    
     >Very intersting.  Replace "IDS" with "AV" and you have another article
     >there.
     >
    I totally agree. AV and IDS are essentially the same approach to highly
    similar problems:
    
         * For fairly arbitrary/disgusting :-) reasons, you cannot fix the
           vulnerabilities that are the root cause of the problem.
         * You instead attempt to manage the problem by detecting attempts to
           exploit the vulnerabilities.
         * Signature-scanning is the popular & effective method. It was
           developed first, and produces the fewest false-positive alarms.
           However, it has the limitation of being largely reactive, leaving
           users vulnerable to "novel" attacks that are not in the signature
           database.
         * Anomaly detection tries to mitigate the "novel attack" problem by
           describing anything novel as an attack. This has the advantage of
           catching novel attacks, and the disadvantage of being noisy:
           generating many false alarm reports.
    
    All of the above applies equally well to IDS and AV.
    
    There is even some relevance to the host vs. network duality for AV, but
    there the similarity is stretched. It is true that there are both host
    and network AV scanners, but they are performing largely the same
    function, where as host and network IDS use substantially different methods.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:25 PDT