Kuo wrote:
>Very intersting. Replace "IDS" with "AV" and you have another article
>there.
>
I totally agree. AV and IDS are essentially the same approach to highly
similar problems:
* For fairly arbitrary/disgusting :-) reasons, you cannot fix the
vulnerabilities that are the root cause of the problem.
* You instead attempt to manage the problem by detecting attempts to
exploit the vulnerabilities.
* Signature-scanning is the popular & effective method. It was
developed first, and produces the fewest false-positive alarms.
However, it has the limitation of being largely reactive, leaving
users vulnerable to "novel" attacks that are not in the signature
database.
* Anomaly detection tries to mitigate the "novel attack" problem by
describing anything novel as an attack. This has the advantage of
catching novel attacks, and the disadvantage of being noisy:
generating many false alarm reports.
All of the above applies equally well to IDS and AV.
There is even some relevance to the host vs. network duality for AV, but
there the similarity is stretched. It is true that there are both host
and network AV scanners, but they are performing largely the same
function, where as host and network IDS use substantially different methods.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:27:25 PDT