On Mon, 18 Mar 2002 19:53:31 +0100, Christian Kruggel said: > I'm not too involved into security-matters but to me there seems to be a > lack of method. Examination of incedents mostly come post-mortem and are > case-based. As far as i know there is only little *software* to detect > anormal traffic. The problem is of course that you have no way of knowing that a specific traffic pattern is a problem until you know it's a problem. This is the same issue that every virus scanner has to deal with. The general-case "is this malicious" is provably isomorphic to the Turing halting problem, and thus a bit difficult to solve... > To me the many practical computer-related-problems boil down to the > question whether you have got a suitable model to describe normal states > and anormal ones. A more fruitful avenue would probably be to come up with a effective way of enumerating what system access a program "should" require - for example, there have been many Unix-based buffer-overrun programs that have resulted in system compromises because the malicious code was able to execute a execve("/bin/sh") - even if the exploited program had *no business* being able to execute another binary, or if it should only have been able to execute a very limited set of binaries (think the Sendmail 'smrsh' wrapper program here).... > How about a statistic-focused phd about special kind of traffic that > allows to predict that a network will face serious problems? Taking special care to consider the balancing of false positives and false negatives.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 06:57:23 PST