Re: CRIME FW: @Stake pulls pin on Geer: Effect on research and pu blication (fwd)

From: Crispin Cowan (crispin@private)
Date: Wed Oct 08 2003 - 00:39:43 PDT

  • Next message: asyIke: "CRIME whats up crime jeswv"

    Kuo, Jimmy wrote:
    
    >Products that are generally labeled "AV" today are ones that "look for
    >something" and must be triggered to do so, for the most part, by file
    >activity (or via "Scan now").
    >
    >There is another category of product that NAI has been pushing a lot this
    >year and calling it Intrusion Prevention.
    >
    Yes, we've been in the intrusion prevention business since 1998, long 
    before it was called that.
    
    >  We include in this category
    >products that don't need "quite as much" updating and that have technologies
    >that people don't associate to "string matching."  Frankly, the world has
    >equated for too long this notion that AV == string match.
    >
    True, AV is not just string match. It *is* strictly detection of 
    malicious code in files coming from various sources. If you are doing 
    something else, then it is no longer AV, it is Intrusion Prevention. 
    Notably, the rather mature field of Network Intrusion Prevention (NIPS) 
    is the detection & blocking of malicious transactions (exploits) on 
    networks, and Host Intrusion Prevention (HIPS) is the detection & 
    blocking of malicious actions on the host.
    
    >Anyway, I alluded to the notion that file-based triggers were changing in
    >the future.  And the obvious reason is the worms that hit without creating a
    >file.  We have another product in the Intrusion Prevention space that is
    >triggered off other events, such as unusual protocol usage, execution from
    >stack, etc.  Today, it's a separate product.  But as I said before, "we
    >already have you on our machines..."  And so, eventually, this technology
    >will be bound together into one, and called "AV."  Because AV sells.
    >
    Those of us already in the Intrusion Prevention business, but who have 
    never had an interest in AV, would naturally object to characterizing 
    Intrusion Prevention as AV. Rather, it makes more sense to characterize 
    AV as part of Intrusion Prevention:
    
        * All IP prevents intrusions some way or another
        * AV prevents intrusions by file-born viruses, most using string
          matching, and occasionally using other heuristics such as "this
          code writes to the boot sector"
    
    AV is a strict subset of IP, not the other way around.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
    Chief Scientist, Immunix       http://immunix.com
                http://www.immunix.com/shop/
    



    This archive was generated by hypermail 2b30 : Wed Oct 08 2003 - 00:57:28 PDT