Dr. Frederick B. Cohen wrote:
> I think that a lot of detectors are missing the deeper issues and that
> time-based methods are doomed to failure. Regardless of the time window
> and activity level within that window, it is possible to design the
> attack to sneak below the detection threshold.
I agree that for any time window detection application window, an
attacker can hit below the detection threshold. But time-base detection
methods have their uses. They can tell you that you are being hit
right now by a noisey source. I like looking at a lot of different time windows.
When used together short (like last 30 minutes), medium (1 day and 1 week
and long (over all time) time frame windows will give you a fairly good picture
of what is happening.
> Furthermore, there is
> the issue of false positives and the signal to noise ratio. The noise
> level is getting higher (in case you haven't noticed) at a rate
> apparently designed (or not) so that we don't notice it. As we get more
> false positives, we decrease the time window or increase the detection
> threshold, thus increasing the severity of detected attack.
This all depends upon what your current signal to noise ratio is.
I would expect to find that a higher threshold is necessary for say a large
class B net, than a smaller class C one. The trick is to minimize the false
positives so that you avoid the positive feedback loop that you mentioned.
Defining exactly what is a hostile pattern of connections is the hard part.
For an internet provider the threshold may be fairly high. For a militart
site that only talks to other military sites and a few specific non-military
sites, the threshold will be much lower.
As for the noise level getting higher, I haven't noticed. But then
since I don't have any advertised services, and since since I'm in a quiet part
of the net, my threshold is fairly low.
Science Applications International Corporation
Naval Air Warfare Center, Weapons Division, China Lake
1972 Land Rover Series III 88