AIRIDS Architecture and Methodology
Results 1 to 3 of 3

Thread: AIRIDS Architecture and Methodology

  1. #1
    Senior Member
    Join Date
    Jan 2003

    AIRIDS Architecture and Methodology

    Hey Hey everyone.. Just saw this on PacketStorm and though you might be interested in checking it out... I haven't finished reading it yet, but it seems to be fairly interesting so far.

    The Goal:
    To make an Open-Sourced IDS that can intelligently react to threats without
    causing denial of service conditions, and reduce the workload of IDS analysts so
    they can concentrate on less mundane threats.
    The Problem:
    Current IDS implementations lack one critical ability: The ability to react
    intelligently. They are very happy to warble, chirp and scream that there has
    been an intruder, but they don’t DO anything, other than just annoy the Jailer, er,
    security person. Worse than this, with signature based IDS, there are many false
    alarms. Error rates of upto 60% have been seen by this analyst. Current “active”
    methods of altering firewall rulesets, session sniping and the like are just too
    primitive to be trusted. All an intruder has to do is send a barrage that looks like
    it came from your DNS server, and you are in a far worse situation than if you
    were just “watching.” In addition to this, session sniping doesn’t work very well
    with pesky ICMP, IGMP and UDP.
    Network based NIDS are the second problem: Alone they cannot see what is
    going on behind an encrypted tunnel. They are subject do dropping packets on
    high-speed links. They are subject to being “blinded”, faked out, and just too
    annoying so that the become ignored. Signature maintenance is a nightmare in
    that “tuning” the IDS requires countless hours of finding out what signatures are
    “stupid” and need to be terminated, and which ones are “good” and need to be
    The entire paper can be read here.

  2. #2
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    This is good info. Thanks for the heads up.

    It seems that a variety of companies and organizations are all trying to accomplish a similar goal using similar but different methodologies and buzzwords.

    I have seen multiple threads that all seem to relate back to changing IDS to IPS so that it takes proactive, intelligent action rather than simply sending an alert.

    I'll check this paper out.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    As ever, it is very difficult to make an "Active response" defence system that doesn't create potential DoS attacks itself. Ultimately you need a human with their finger on the trigger otherwise your potential for "friendly fire" is high.

    It only takes someone to work out what type of traffic triggers it, then spoof it from legit sites, and bingo! DoS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts