Re: Intrusion Detection

From: Marcus J. Ranum (mjrat_private)
Date: Tue Apr 14 1998 - 06:22:24 PDT

Next message: Adam Shostack: "Re: Intrusion Detection"

Previous message: shantanu bhattacharya: "Intrusion Detection"
Maybe in reply to: shantanu bhattacharya: "Intrusion Detection"
Next in thread: Adam Shostack: "Re: Intrusion Detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>    Hi,   What are the kind of Intrusions an Intrusion Detection  software
>can detect? What all it cannot?

Most of the IDS out there can detect a set of known attacks. The
attacks tend to be denial of service or exploits -- either attempts
to break in or attempts to disable the system.

There are 2 basic categories of IDS (though I am beginning to believe
there is a 3rd): Anomaly Detection and Misuse Detection. The AD-IDS
approach is to try to "understand" what constitutes normal traffic
for the network, and look for things that aren't "normal." The MD-IDS
approach is to know about a variety of attacks and look for them in
progress. Most of the research on IDS is AD-IDS, while most of the
products are MD-IDS. There are a couple of reasons for this:
1) MD-IDS are easier to implement -- the tricky part in an MD-IDS is
	having the "knowledge base" of hacking techniques that you can
	code into your MD engine.
2) MD-IDS are easier to explain (and demo) to a customer -- they will,
	when set up, immediately begin to work, with no need to "train"
	them or establish a baseline.
3) MD-IDS are more marketable -- like with a virus scanning system
	(which is kind of what they are) you can sell your customer
	signature sets
4) MD-IDS are easier to quantify -- you can tell your customer "It
	detects 250 attacks" instead of "it detects weird stuff."

SNI recently did a paper which pretty seriously questioned simple
network-oriented MD-IDS. They're correct that the MD-IDS approach
in its simple form is fairly limited and easy to get around. What
they neglected to mention is that MD-IDS will catch a lot of the
"ankle biter" hackers until they get better tools or learn what
they are doing. So there may be some value, there.

What can the various IDS detect? In theory, an AD-IDS will detect
anything and everything. Of course, while it is doing so, it will
generate high numbers of false alarms. In Theory an MD-IDS will
detect anything that the designers of the MD-IDS know about. Of
course, it won't detect the new attack which is being used on
you right now, which the IDS designers don't know about. Eventually
there will be some kind of system with merged AD/MD logic, would
be my guess.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: Adam Shostack: "Re: Intrusion Detection"
Previous message: shantanu bhattacharya: "Intrusion Detection"
Maybe in reply to: shantanu bhattacharya: "Intrusion Detection"
Next in thread: Adam Shostack: "Re: Intrusion Detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:15 PDT