I think that a lot of detectors are missing the deeper issues and that
time-based methods are doomed to failure. Regardless of the time window
and activity level within that window, it is possible to design the
attack to sneak below the detection threshold. Furthermore, there is
the issue of false positives and the signal to noise ratio. The noise
level is getting higher (in case you haven't noticed) at a rate
apparently designed (or not) so that we don't notice it. As we get more
false positives, we decrease the time window or increase the detection
threshold, thus increasing the severity of detected attack. If you
study this phenomena a bit, (as othres have) you find that there is no
time window or activity level that can avoid this problem and that the
detection threshold and noise levels are parameters in the strategy and
tactics of information warfare, which we are all essentially engaged in.
An alternative approach that I have taken is to forget time, set
absolute thresholds (e.g., 2 attempts for warning and 3 attempts for
action), and keep history on all potentially malicious acts forever. In
some cases it has taken several years to get the job done, but over
time, I seem to catch people pretty successfully. There are a lot of
other strategies and tactics that may be applied in various situations,
but of course simplistic defenses lend themselves to simplistic attacks.
--
-----------------
\Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
\ /\/ | Check out info-security heaven and test your system
\/\ /\/ | for known vulnerabilities (1st time for free) at URL:
\/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080
-----------------
Read "Protection and Security on the Information Superhighway"
-just released by Wiley and Sons-
Follow-Ups:
|
|
