RE: Specification-based Anomaly Detection

All opinions are my own and in no way reflect the views of my employer.

I was going to stay out of this rendition of this debate but... 

> -----Original Message-----
> From: Ofer Shezaf [mailto:Ofer.Shezaf@breach.com] 
> Sent: Sunday, January 09, 2005 3:53 PM
> To: Stefano Zanero; roberto.perdisci@gmail.com
> Cc: focus-ids@lists.securityfocus.com
> Subject: RE: Specification-based Anomaly Detection
>
>
> Hi Thomas & Stefano,
>
> I agree that anomaly detection is a new-comer to IDS, and in many cases
> not a mature technology. But I think that due to the inherent
> shortcomings of signatures, it has to be considered seriously.

What exactly is your definition of "new-comer"? Seeing as anomaly
detection
has been discussed and studied for at least 15 years as far I know...

> As one of you mentioned, the main disadvantage of signatures 
> is zero day
> attacks.  As I see it, the significance of zero day attacks is way
> underrated. Zero day attacks usually refer to abusing of 
> vulnerabilities
> before a patch or a signature has been issued, but there are those
> "perpetual" zero day attacks - the bugs in the software of a specific
> web site. 
>
> The recent "phpInclude" worm is a very good example of exploitation of
> such "perpetual" zero day attacks. The worm itself can be detected by
> signatures as, being a publicly available code, it includes some
> repeating patterns. On the other hand the same the same techniques can
> be (and probably are) used by "none worm" crawlers or even manually to
> attack specific sites, and are not be detected by signatures.

I'm not sure I follow the argument about "perpetual zero day". It sounds
like a problem of poor signature writing. Could you expand a little more
on why this is a problem for signature-based approaches as opposed to
anomaly-based approaches?

> 2. On the network layer, network profiling analyzes the normal behavior
> of users (i.e traffic), while in the application layer we also profile
> the normal behavior of the application.
>
> Saying that, anomaly itself usually identifies that something is wrong
> but not what is wrong. We use two important additional mechanisms to
> derive actionable information:

What is your basis for saying that anomaly detection usually detects
that
something is wrong? I've never seen an anomaly detection system that
detects things that are "wrong", by definition they only detect that
something is _different_.
The assumption that that is always something wrong is one of the basic
problems with how people implement anomaly-based solutions in my
opinion.

toby

Toby Kohlenberg, CISSP, GCIH, GCIA
Senior Information Security Analyst
Applied Security Technology Team
Intel Corporate Information Security
503-712-8588  Office & Voicemail
877-497-1696  Pager
"Just because you're paranoid, doesn't mean they're not after you."

PGP Fingerprint:
92E2 E2FC BB8B 98CD 88FA  01A1 6E09 B5BA 9E84 9E70

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------