On Mon, 18 Mar 2002 19:53:31 +0100, Christian Kruggel said:
> I'm not too involved into security-matters but to me there seems to be a
> lack of method. Examination of incedents mostly come post-mortem and are
> case-based. As far as i know there is only little *software* to detect
> anormal traffic.
The problem is of course that you have no way of knowing that a specific
traffic pattern is a problem until you know it's a problem. This is the
same issue that every virus scanner has to deal with.
The general-case "is this malicious" is provably isomorphic to the Turing
halting problem, and thus a bit difficult to solve...
> To me the many practical computer-related-problems boil down to the
> question whether you have got a suitable model to describe normal states
> and anormal ones.
A more fruitful avenue would probably be to come up with a effective way
of enumerating what system access a program "should" require - for example,
there have been many Unix-based buffer-overrun programs that have resulted
in system compromises because the malicious code was able to execute a
execve("/bin/sh") - even if the exploited program had *no business* being
able to execute another binary, or if it should only have been able to
execute a very limited set of binaries (think the Sendmail 'smrsh' wrapper
program here)....
> How about a statistic-focused phd about special kind of traffic that
> allows to predict that a network will face serious problems?
Taking special care to consider the balancing of false positives and false
negatives....
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 06:57:23 PST