how to do intrusion detection right

George J. Dolicker gjpd@ins.com
Thu, 16 Apr 1998 10:18:31 -0400


I think perhaps what the intrusion detection system might do is not look
for something "interesting", but rather something "different".  Rather than
trying to define what is a problem, define what is NOT a problem... so
configure the IDS to smile upon traffic that is expected, and panic over
anything else.

Same principal we use in firewalling:  that which is not explictly
permitted is denied.  

G.

At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:
>When the administrator can tailor the IDS to unacceptable/interesting
>stuff on the net, what he does is transfer his own mindset about security
>to the IDS. I then have a machine that "thinks" like me, which thus alerts 
>me about facts that I am already aware of - a useful thing that may save 
>some work, but will not help me notice next week's bug being exploited. 
>
>I may be stupid, but what is "interesting" is something I do not know 
>before an intrusion attempt.
>Tomorrow's attack may use some technique that is "obviously" safe today,
>thus bypassing my (human or computer) filtering layer. Using a sufficiently
>"new" technique, my firewall will probably not notice that it has been 
>broached. What _can_ help me is having a complete log of everything that
>has been going through the network, which I can then analyze to understand
>what has happened. An intrusion analysis system, if you will - which 
>so far includes a large human component.
>
>-Martin
>