Re: Real Traffic (was Re: BlackICE IDS)

[stuart () SiliconDefense com (Stuart Staniford-Chen)]

Trevor Schroeder wrote:

> It seems like a pretty obvious thing, but I don't recall seeing anything
> on this list recently about it (which is not to say that it hasn't floated
> by... ;), but has anybody used multiple NIDSs to provide higher
> sensitivity with fewer false positives?
>
> It seems like you could increase the sensitivity of your various NIDS but
> then require a subset (maybe a majority) to agree that an attack is
> occurring in order to trigger an alarm.
>
> Basically, it seems like an nice application of N-version software,
> assuming there aren't correlated faults (faults in this case being either
> false positives or missed detections).
>
> Of course there are some problems.  Perhaps one NIDS picks up an attack
> that nobody else does, no matter how sensitive they are.  In that case,
> you've just written off a good detection as a false positive.
> Additionally, you need to have a means to automatically correllate the
> data between your various NIDS or you've largely negated the benifit...
>
> Anyhow, anybody done it?  Thoughts?

I was involved in some experiments for DARPA last year that were like
this.  We had a bunch of IDS systems running (if memory serves,
RealSecure, NAI Cybercop server, and two research systems - NetRadar and
Emerald), and we centralized the reports from all of them.  Then we
played a variety of attack scripts over the network, and saw what
reports each of them generated, as well as what false alarms they tended
to generate (we had a background traffic generator going).  

We wrote a bunch of Perl scripts that drew conclusions based on which
tools were reporting and managed to screen out all the false alarms and
report all the real incidents.  However, the scripts were not
generalizable - they were tailored to our particular set of attacks (and
doubtless the particular way all the IDS's were configured).

At RAID (the Recent Advances in Intrusion Detection) conference last
September, IBM Emergency Response Service folks had a paper on applying
knowledge mining type techniques to the output of IDS systems they had
deployed for their customers (using Cisco's Netranger as the sensor).  I
would think that kind of approach would work well at extracting value
out of the overlaps between different sensors (and be  generalizable).

Stuart.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)