Drew Simonis wrote:
As mentioned, do we consider them working if, at 100% malicious detection,
they lump in 20% non-malicious false positive?
As usual, there is a trade off between false positives and detection
rate, and _usually_ this trade off is such that you can grow up to, say,
80 or 90% of DR incurring in a small number of FP (say, 10%), and then
all of a sudden you hit a "hard" barrier and in order to catch the
remaining <little number> of attacks, you have to accept <a hell more>
false positives.
So, the question is: what are these systems good for ? they are good for
complementing misuse based, non-zero-day catching systems, so even a 20%
detection rate would be "good", since it's 20% _more_ than what was
previously done. We can thus stay in the "easy" area of the tradeoff
between detection and false positives.
I'd also like to add, responding to other posts, that it is not
necessarily true that anomaly detection on the networks means just
detecting "one megabit per second of odd dns request". Anomaly detection
CAN go as far as detecting a single anomalous packet. The fact that such
systems are still in research phase and that you cannot buy them yet is
another problem entirely, but they do exist. See my Black Hat
presentation for hints about them.
Regards,
Stefano
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
