Re: RE: IDS

[rrpermeh () rconnect com (Ryan Permeh)]

"Blyth A J C (Comp)" wrote:

> Greetings,
>
> > How can I detect UNKOWN attacks if they are unknown ???
>
> Well, If you log all data then you can apply various technqiues to it and
> see what falls out.  In the elimination of noise from an audio environment,
> one particularly useful technique is to isolate the ambient, background
> noise and to remove that from the signal presented to the recording or
> amplifying system. This presents a notion for the approach of using
> normalisation on the hostile network traffic: we isolate the non-ambient
> hostile traffic by removing the traffic that is visible in 'the background'.
>
> Regards
>
> Andrew.

this is a great idea, but how do you define "normal" network traffic?  and when
do you define it?  what if an attack is in progress while network traffic is
being normalized?  i've thought about this for a while as a method to stop spam
messages, and defining "normal smtp traffic" is nearly impossible, due to the
effect that the spam attacks are already part of the "normal".  I know IDS
doesn't actively defeat spam, as of now, however, as a side note, it could.
Misuse is much harder to detect in nomilization.  Certainly, you can set up
traffic flow diagrams of legit traffic, but you may run into two issues.  1. an
attacker may skew your results at the time of your measurement, and 2. attacks
can be made low key enough to appear as "normal" traffic on your network.  are
you going to notice if somone was gathering  infmormation from your mail server
if he was only using  connects to tcp 25 to fingerprint your server?  a single
tcp connection can tell a lot about a system, and not set off alarms.  anamoly
and misuse detection needs to grow up before i think it can easily be used as
an IDS.
Ryan Permeh