Statistical-Based Intrusion Detection

[t2k2]

Hey peeps. I got this off of the focus-ms list today coincidentally after I had begun reading the article on the Security Focus site. I figured you guys may be interested.

While I haven't yet finished reading the article in its entirety, I am already forming somewhat of an opinion of its subject matter. I can't say that I see much value that a tool of this nature would add to my network. The way I see it, the most common place something like this would be used is in a Web DMZ or something along those lines. However, how stable is a web environment in regards to normal traffic load. The workload could vary greatly, depending on the day, hour, publicity of the website(s), and many other factors. Now, I am probably being a little premature in forming my opinion, so I will leave it at that. Maybe I can get some sort of an evaluation of the tool at hand so that I can form a more educated opinion. I am, however, interested in hearing what you guys think.

Statistical-Based Intrusion Detection
By Jamil Farshchi

This article will examine statistical-based intrusion detection systems, which alert on anomalous network behaviour, thus providing better monitoring for zero-day exploits than traditional IDS.

http://www.securityfocus.com/infocus/1686


Marc Fossi
Symantec Corp.
www.symantec.com

I think the author says it best here:

Conclusion

There is still no IDS silver bullet. The best solution seems to be a combination of IDS approaches. There are a few vendors that offer the SBID system solution today. Fortunately, these solutions are all part of a larger offering that includes a RBID system. Rest assured, there will be bigger and badder worms than W32.SQLExp - in today's world of cyber-crime, malicious users, and cyber-terrorism, threats will undoubtedly continue to evolve and test security professionals. With the implementation of a statical-based intrusion detection system in addition to a rule-based system, though, you will be better protected against current and future threats. And maybe with the enhanced security on your network, you will be able to spend more time with your dog and less with a worm.

Regards,

t2k2

[bballad]

I find it very useful. In a web environment we use to manually create usage baselines (daily, hourly, weekly, ect) these would let us know if there was any unusual activity. A SBID automates this process (not that I still don't do baselines, just not as often). I am not saying that it should replace a standard IDS but its a wonderful addition.

Have you ever done a usage baseline of your site, build one and you will be amazed how much of a pattern web visitors fall into.

[Lv4]

interesting article. I'll have to read through the whole thing when I get a chance.

I know that ISS is a statistical based IDS, but I remember reading through something of theirs a while back that said they still used the RBID approach too. I'm currently checking their software out for our network, and I'll check on that to see if I'm remembering correctly.

We are using a couple of other companies stuff at the moment, and I have tried to keep us with a mix of SBID and RBID to give, at least what I feel, is a more complete coverage.

Thanks for the find on this article.

[t2k2]

bballad: Now that you mention it, we are currently using a product called Onesight. I don't know very much about it, but apparently it's a pretty good product to monitor Web application usage and what not... I do know one thing about it, however. It does some sort of forecasting based on a baseline. You're right, a tool like that is useful, but it should definitely be complemented with other IDSs just like with any other security tools. The product we are using seems to focus on Web-based monitoring. Of course, the SBIDS would be less application-specific, I'm sure. I will reserve further opinion until I have the chance to test it out. Thanks for the replies guys! Keep'em comin'!


t2k2

[Networker]

Statistical-based IDS (also called heuristic-based IDS) is a very good concept. It can be used to detect intrusion that rule-based IDS cannot.

The only bemol is that in order to configure it, the admin has to now the profile of traffic going through its network hour per hour. All threshold parameters are a bit difficult to anticipate and it can be very painful since your model is evolving.
For instance using Mobile IP in the network may change in a real time manner the model.

[t2k2]

Yeah, they mentioned that in the article. However, I can see the value when complemented with the RBIDS. Do you have one in your environment?

[Networker]

Do you have one in your environment?

No I don't, because that techno is not mature enough, and is too painful to handle!
But if a opensource project works on that techno (I don't know any!), be sure I'll try it !

In my opinioin that techno must be couple with flow network probes, like the IPANEMA product line.

Just for info: IPANEMA products are build network monitoring and traffic engineering. Let's take the example of a corporate network with few sites interconnected through the internet (through IPSEC techno if you care about security). IPANEMA probes are located at each border site/internet, all probes sent report to a centralized entity that compare transmitted packets end received packets. Thanx to that techno you can easily figure out what your internal flows are in a real time manner, & therefore deduce a predictible model that can evolve in a day or week basis.
But still the false alram problem remains!

[t2k2]

Yeah, that's what I keep getting hung up on. It seems like it would be a bear to administer - at least to get it off the ground. I have to agree with you - the technology definitely needs some time to mature.