Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Real Traffic (was Re: BlackICE IDS)

From: tschroed () acm org (Trevor Schroeder)
Date: Mon, 6 Dec 1999 19:49:15 -0600 (CST)


Hmmm... Here's an interesting question:

It seems like a pretty obvious thing, but I don't recall seeing anything
on this list recently about it (which is not to say that it hasn't floated
by... ;), but has anybody used multiple NIDSs to provide higher
sensitivity with fewer false positives?

It seems like you could increase the sensitivity of your various NIDS but
then require a subset (maybe a majority) to agree that an attack is
occurring in order to trigger an alarm.

Basically, it seems like an nice application of N-version software,
assuming there aren't correlated faults (faults in this case being either
false positives or missed detections).

Of course there are some problems.  Perhaps one NIDS picks up an attack
that nobody else does, no matter how sensitive they are.  In that case,
you've just written off a good detection as a false positive.
Additionally, you need to have a means to automatically correllate the
data between your various NIDS or you've largely negated the benifit...

Anyhow, anybody done it?  Thoughts?
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................:
Previous By Date Next
Previous By Thread Next

Current thread: