Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Random IDS Thoughts [WAS: Re: IDS thoughts]

Re: Random IDS Thoughts [WAS: Re: IDS thoughts]

From: Magnus Almgren <almgren_at_ce.chalmers.se>
Date: Tue, 3 Jun 2003 08:47:31 +0200 (MEST)

> > could be beaten by flooding a network with "anomalous" traffic
>
> Rather naive. If you have a product that does not "adapt", this is obviously
> not a problem (i.e., you deploy it, you train it, then you "lock" it).
> Letting an algorithm learn by itself and still not get fooled by a semantic
> drift (this it one of the current names for the effect you described) is not
> an easy task [...]

There is a recent interesting paper about anomaly detection systems. The
authors discuss two different methods to avoid an anomaly detection
system. First, you can corrupt the training data so that the detector
judge attacks to be accepted behavior. This is non-trivial for the
attacker. Second, you can change the attack to not generate events
that manifest themselves in an anomalous (thus detectable) way by the
detector. This is the approach they have followed in this paper. They
have taken a research prototype and demonstrated how they can change
previously detected attacks to become invisible to the detector.

It is a good article, and I recommend it.

Tan, Kymie M. C.; Killourhy, Kevin S. and Maxion, Roy A. "Undermining
an Anomaly-Based Intrusion Detection System Using Common Exploits." In
Fifth International Symposium on Recent Advances in Intrusion
Detection (RAID-2002), Andreas Wespi, Giovanni Vigna and Luca Deri
(Eds.), 16-18 October 2002, Zurich, Switzerland, pp. 54-73. Lecture
Notes in Computer Science #2516, Springer-Verlag, Berlin, 2002.

If you have access to Springer, you can find the article at
  http://search.springer.de/link-cgi/view-hd.pl?/search97cgi/s97_cgi?action=view&queryZIP=%28%22Maxion%22%29&vdkVgwKey=%2Fglobal%2Fdata%2Fverity%2Flink%2Fabstracts%2Fjour%2Fseries%2F0558%2Fbibs%2F2516%2F25160054.htm&strURL=http://link.springer.de/link/service/series/0558/papers/2516/25160054.pdf&strXML=http://search.springer.de:80/search97cgi/s97_cgi?action=view&collection=springer02&doctype=xml&vdkVgwKey=%2Fjour%2Fseries%2F0558%2Fpapers%2F2516%2F25160054.pdf&queryZIP=%28%22Maxion%22%29

Cheers,
Magnus

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
Received on Jun 03 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos