On 16 Jun 2000, Michael Tichauer wrote: > > Date: Thu, 15 Jun 2000
10:40:54 +0200
> Maybe it's a little off-topic, but I was wondering which technologies
> IDS systems such as Cisco's, NAI's, Axent's and ISS's products were
> using. We are talking here about expert systems, statistics, stochastics
> (?), neural nets, genetic algorithms, etc. Which of these math
> techniques are used in these IDS systems, to your opinion ?
In response to your query regarding which techniques IDS systems utilize
to perform attack detection:
Our product, SecureNet PRO, uses a variety of different techniques to
decode user activity and detect attacks. Several of these are described
below:
- Packet Analysis - Examination of packet header fields, checksum
verification, and so on. Reconstruction of fragmented IP transmissions is
also necessary, otherwise one can evade a NIDS by fragmenting their
network transmissions. SecureNet PRO supports all of these techniques.
- TCP session reassembly - Reassembly of TCP packets into reliable
stream-based communications is necessary for reliable detection of any
attacks which are sent over the TCP protocol. Systems which do not
perform TCP session reassembly can be easily fooled by sending an attack
"byte-by-byte" in multiple TCP packets. Buffering of out-of-order
segments and proper handling of overlapping TCP segments is also required
if a NIDS is to operate in a reliable fashion. SecureNet PRO does all of
this.
- State-based Application Layer Protocol Decoding - To allow for reliable
detection of anomalous activities such as a network client violating a
protocol RFC, multiple login attempts, and so on, one must implement
state-based application layer protocol decoding. Systems which implement
this form of protocol decoding actually understand the traffic which is
being captured; they emulate the parsing behavior of both network clients
and servers. For instance, SecureNet PRO intelligently parses the
HTTP/1.1 protocol (in addition to many other protocols) allowing for the
decyphering of hex-encoded URLs, chunked transfer of dynamic HTTP content,
persistant HTTP sessions, and so on. Systems which do not perform actual
state-based application layer protocol decoding are much more prone to
false positives and false negatives, and cannot detect complex attacks
which involve multiple dis-jointed steps.
- Network Grepping - Network grepping is also a useful technology when
performing intrusion detection activities. It allows for high-speed
searching of dozens, hundreds, or even thousands of various text strings.
Such techniques are very useful when performing activities such as
profanity detection. This is why SecureNet PRO is capable of performing
both state-based application layer protocol decoding _and_ network
grepping. Implementation of both techniques allows for extremely
comprehensive coverage, allowing the method most applicable to a specific
attack to be utilized for detection purposes.
- Custom Scripting - There is no such thing as a IDS product which meets
the specific needs of all its users. Therefore if a product is to be
considered truly useful, it must be capable of being easily extended.
Organizations may utilize custom networking protocols or have specific
needs which cannot be met by an out-of-box IDS. This is why we chose to
implement custom scripting functionality in our product. By writing SNP-L
scripts, one can perform any sort of detailed protocol analysis,
statistics gathering, and so on. The possiblities are endless when viable
methods of customization are provided to the end-user.
I hope this information was helpful,
Elliot Turner
[EMAIL PROTECTED]
http://www.MimeStar.com/
MimeStar, Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
