That is a nice example, but it hardly ever works like that. How about
you detect a worm that generates a lot of syns with a window size of
41425? You can write a sig that is dead on accurate but still detect
many false positives. You can't expect every attack to have
"written_by_phc" as a string in a packet.
On Mon, 2003-10-06 at 16:03, Dave Killion wrote:
> Stefano,
>
> I hate Marketing spin as much as the next engineer, but with respect, I
> disagree here entirely.
>
> False Positive reduction has nothing to do with Detection Rate.
> Reducing False Positives has everything to do with accuracy and context.
>
>
> Hypothetical Example:
>
> A hostile attack looks like "LeetAttack 1.0" - this is the actual, valid
> attack string. But say this string is only hostile if sent as the User
> Agent in an HTTP connection. Maybe it's a backdoor coded by the
> webserver author, etc whatever.
>
> IDS System A has a signature to detect this attack. They look for "1.0"
> anywhere in an HTTP stream. Do they detect the attack? Yes. How many
> false positives - that is, triggers on this signature that are not valid
> attacks - you think they'll get? I'd say quite a bit. So, Detection =
> 100%, FP ~ 60-99%.
>
> IDS System B also has a signature to detect this attack. They look for
> "1.0", but they are advanced and have a context matching system that
> allows them to look only at certain fields within the HTTP stream, one
> of which is the User Agent. So they put "1.0" in the User Agent
> context. Do they detect the attack? Yes. How's their false positive
> rate? Lower than System A, I'd wager, but there's still some there. Do
> they detect the attack any less than System A? No = both systems would
> always detect every attack. Detection = 100%, FP ~ 30-50% - No decrease
> in detection, but half the FP's.
>
> IDS System C also has a signature to detect this attack. They have the
> User Agent context as well, and they put "LeetAttack 1.0" as the
> detection string. Do they detect the attack? You bet - 100%. Do they
> have False Positives? No - unless someone was stupid enough to make a
> valid web browser with that string as the User Agent. And you'd have to
> wonder at their motivations if they did. Detection = 100%, FP = 0% - No
> decrease in detection, but infinitely less FP's.
>
>
> Obviously, the real world isn't as cut and dry as this example, but the
> principles are the same - find something unique to the attack, go for
> root cause, and get the context as specific as possible. You will
> maximize detection while minimizing false positives.
>
> I hope this information is helpful,
>
> Dave Killion
> Senior Security Engineer
> Security Group, NetScreen Technologies, Inc.
>
>
>
> This email contains material that is confidential. The content of this
> email is for the sole use of the intended recipient(s). Any review or
> distribution by persons other than the intended recipient(s) without the
> express permission of NetScreen Technologies, Inc. is strictly
> prohibited. If you are not the intended recipient, please contact the
> sender and delete/destroy all copies of this email and any related
> attachments. NetScreen does not guarantee the accuracy or completeness
> of third party materials or information.
>
>
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 09 2003
Intro
