Slashdot Mirror

← Back to Stories (view on slashdot.org)

Future Of IDS

Posted by Hemos on from the where-will-development-go dept.

A reader wrote to us about a summary article regarding IDS ? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?

6 of 125 comments (clear)

  1. Large scale correlation by pdqlamb · · Score: 4, Interesting

    I wonder if the author would credit things like my NetWatchman or Security Focus's Aris as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.

  2. Managers Like Names... by NetJunkie · · Score: 4, Interesting

    I'm about to deploy an IDS system at my work. When I met with the director and CIO about this they asked for recommendations, of course. I first suggested Snort. It's free, it works well, and I had used it before. But, since it didn't have someone standing behind it, the CIO wasn't interested. They rather spend $20K on another product. To them it is more important to be able to say "Hey, we were using product X from company Y! Don't blame us!" if something goes wrong.

    In places where the budget is a bigger concern I still implement Snort. I can't possibly afford to stick a commercial product on every subnet that I'd like to.

  3. CEO's like $$$ by jabbo · · Score: 4, Interesting

    That made it pretty damn easy for me to push Snort where I work.

    Only choads that are getting kickbacks from manufacturers are going to push for overpriced commercial solutions in shops that don't have an existing IDS installation or a compelling reason to use the packaged solutions (NetRanger, OpenView, their ilk).

    A packet is a packet... NFR and Snort are both designed by well-respected engineers who are more interested in accuracy and correctness than in unit shifting. I trust them for that.

    When you get right down to it, unless you're rolling in dough, why blow $20,000 per management station plus consulting costs to implement something your network administrator can probably set up in a week for free? (I know I can) It's stupid. Save the cash for your coke dealer or a rock for the missus.

    --
    Remember that what's inside of you doesn't matter because nobody can see it.
  4. Writing Linux viruses is easy (slightly OT) by Mr.+Sketch · · Score: 3, Interesting

    I was browsing the other vnunet articles and saw that according to another article on vnunet.com writing Linux viruses is easy. They claim that "It is a stable OS, but it's not a secure OS." so it will most likely be a target next year.

    I could try submitting this to /. but they'll probably think we've had enough security articles for one day and it'll get rejected and no one will read it.

    --
    Things you think are in the Constitution, but are not.
  5. The State of IDS by SkewlD00d · · Score: 3, Interesting

    Hi, I currently work in the UC Davis sec lab (current project(s): HACQIT).

    The basic problem with all IDS is in the confidence level of determining if something is an attack or just random garbage. Also, IDS have to be fast. If there's too much traffic (if you've been /.'d), you may not be able to check all attacks. Some methodogies start from the approach that deviating from a set of known safe operations is considered suspect. Other IDSes approach it from checking against a known-attack database. We're currently working on genetic algorithms and expert systems to correlate sensors and systems to detect and respond to attacks. The best approach I've seen is a complete kernel-level instrumentation of all system calls that's transparent and mostly undetectable. It would probably be DoS-able as well. The main prob is that you realy gotta have another comp to offload IDS checking.

    Right now, nearly all IDSes are extremely primitive and consist of nothing more than snort rules and Perl scripts that call ipchains or something.

    Btw, I went to RAID 2001 this year (hosted at UCD), it was fairly interesting.

    --
    The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
  6. Links by GrEp · · Score: 3, Interesting

    Here are some links to Intrusion Detection systems being developed at Iowa State. They are offering fellowships for those interested in doing graduate work in computer security. Here is a link to one of their papers on distributed intrusion dection.

    Automated Discovery of Concise Predictive Rules for Intrusion Detection

    --

    bash-2.04$
    bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME