Firewalls: Re: Improved detection of attack patterns and the time issue

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Improved detection of attack patterns and the time issue
From:	Benjamin Allan Smith <bens @ archimedes . vislab . navy . mil>
Date:	Sun, 16 Apr 1995 18:49:31 -0700
To:	firewalls @ greatcircle . com
In-reply-to:	Your message of "Sun, 16 Apr 1995 20:20:32 EDT." <9504170020 . AA24246 @ all . net>
Posted-date:	Sun, 16 Apr 1995 18:49:38 -0700

Dr. Frederick B. Cohen wrote:

> I think that a lot of detectors are missing the deeper issues and that
> time-based methods are doomed to failure.  Regardless of the time window
> and activity level within that window, it is possible to design the
> attack to sneak below the detection threshold. 

	I agree that for any time window detection application window, an
attacker can hit below the detection threshold.  But time-base detection
methods have their uses.  They can tell you that you are being hit 
right now by a noisey source. I like looking at a lot of different time windows.
When used together short (like last 30 minutes), medium (1 day and 1 week
and long (over all time) time frame windows will give you a fairly good picture
of what is happening.    

> Furthermore, there is
> the issue of false positives and the signal to noise ratio.  The noise
> level is getting higher (in case you haven't noticed) at a rate
> apparently designed (or not) so that we don't notice it.  As we get more
> false positives, we decrease the time window or increase the detection
> threshold, thus increasing the severity of detected attack. 

	This all depends upon what your current signal to noise ratio is. 
I would expect to find that a higher threshold is necessary for say a large
class B net, than a smaller class C one.  The trick is to minimize the false 
positives so that you avoid the positive feedback loop that you mentioned.
Defining exactly what is a hostile pattern of connections is the hard part.
For an internet provider the threshold may be fairly high.  For a militart
site that only talks to other military sites and a few specific non-military
sites, the threshold will be much lower.

	As for the noise level getting higher, I haven't noticed.  But then 
since I don't have any advertised services, and since since I'm in a quiet part
of the net, my threshold is fairly low.  

-Benjamin Smith
----------------
 Science Applications International Corporation
 Naval Air Warfare Center, Weapons Division, China Lake
 bens @
 archimedes .
 vislab .
 navy .
 mil
 1972 Land Rover Series III 88

References:

Improved detection of attack patterns and the time issue
From: fc @ all . net (Dr. Frederick B. Cohen)

Indexed By Date	Previous:	UDP From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Date	Next:	Re: UDP From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Thread	Previous:	Improved detection of attack patterns and the time issue From: fc @ all . net (Dr. Frederick B. Cohen)
Indexed By Thread	Next:	UDP From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)