Hi,
What I meant with similar pattern is that similar
"exploit pattern" for a particular worm variance. For
example Code Red 1 & 2 share similar "exploit
pattern". The same can be said about Sasser. It is
similar because it's same worm variance or mutation.
I give a very simple analogy. If you want to visit my
country, you're required to have 'malaria injection'.
What it is actually is a weaken bacteria that help
your immune system develop a protection against the
more potent similar bacteria if you happen to get
infected. This is similar pattern in the real world.
Even the best protection system in the world cannot
predict the future ;-)
The other way to look at this, is that we have to look
at virus/worm life cycle. After the release moment
(zero day?), the virus/worm will spread over the
network or Internet. Then it will reach its peak and
it'll dies just when all the machines on the Internet
are all upgraded. If somebody wrote another worm
variance, using the same exploit pattern, the epidemic
can be lessen to great extent.
OK, I did mentioned about Honeycomb, how this 3rd
party trap and signature generator can help a lot.
First of all just to note that I have nothing against
the snort guys... world is going to be better place if
most of the people are like them. But why we need
people to write snort signature? Can this exercise be
automated? We have a whole book written dedicated to
write intrusion signature! Although we have expert
who can write the signature it is not that effective
as noted by Paul Graham in his popular article "A Plan
for A Spam". He did mentioned the advantages of using
machine learning rather than human to write the spam
rules.
To sum things up, we need some kind of network IPS
system to automatically protect our network that can
response within seconds/minutes for worm and its
variance. Of course we cannot predict the future by
predicting what kind of worms that coming up next, but
for sure the 1st generation of worm can provide us
with enough information that makes the subsequence
worm variances to be useless at best.
I'll call this "Similar Pattern Worm Mutation
Prevention System".
Regards,
Shaiful,
Universiti Putra Malaysia.
--- Johnny Calhoun <jcalhoun@lurhq.com> wrote:
On Thursday 12 August 2004 20:35, Shaiful wrote:
similar pattern
How do you define "similar pattern"?
Detecting similar patterns/signatures is trivial if
the signature is known in
advance, but how do you know if something is
"similar" before it even
happens?
And if it is KNOWN then it probably already has a
signature right?
Anomaly based Intrusion Detection/Prevention is very
complex, much more
complex than just trapping traffic and predicting
similar patterns.
--
Johnny Calhoun, GCIA
Information Security Analyst
LURHQ
843-903-4376 opt2
jcalhoun@lurhq.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with
real-world attacks from CORE
IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
