Hi Richard
I am agreed on the difficulty in defining an attack properly. in fact
recently i joined a company as a kind as intrusion analyst. Before that i
was in academic environment doing my PhD in IDS. what i observed is that
signatures are concentrating more on a particular exploit code rather than
the true exploit/vulnerability. i am specifically talking about Snort
signatures. I feel that time has come when we should also look at some
AI/data mining/ machine learning techniques to get some more insight into
the attacks, as now we have high computing devices. During my research, i
experimented with many such techniques, but I dont find the acceptability
of such techniques in commercial products. I know i may sound more
theoretical to all experienced network/system administrators, but i want to
bring this issue into the focus. in this way, we can, at least, discuss the
feasibility of such techniques and the problems associated with that.
i am looking forward to have some response from all.
thanks
Sanjay
Hi David,
All good points. If you can get past firewalls using various
techniques, I'm sure others can bypass even your product, right?
This is not an attack against you or any other prevention vendor. The
unfortunate reality is that at some point a smart, unpredictable
intruder will figure out how to bypass your prevention mechanism.
Where does that leave an integrated/converged security device? Will
it have any record at all that it was beaten? Probably not -- if it
knew what was happening, it would have blocked the attack, correct?
The problem I see with most security vendors is their assumption that
they can even identify attacks properly. This is a problem because
detection or prevention requires accurate attack identification. I
gave up on perfect attack detection years ago, but I did not give up
on intrusion detection or prevention as necessary parts of the
security process. I am glad you and other vendors still work on this
very tough problem!
For my part, I try to identify when my preventative system has failed
via policy enforcement failure detection. If that doesn't work, I'm
also performing network transaction logging. Once I know (by
non-technical means, perhaps) that I'm compromised, I have
network-based evidence to guide my incident response and remediation
process.
I don't see do-it-all-in-one security appliances approaching the
problem this way.
I guess my view is biased because I do incident response for a living,
and I constantly deal with failed security mechanisms. (Unfortunately
for my clients,) I am as busy now (with all the great new gear we
have) as I was seven years ago when I started.
Sincerely,
Richard
http://www.taosecurity.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 423
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
