----- Original Message -----
From: "Jon Gary" <jgaryCLICKTOSECURE.COM>

> Many hackers are getting sick of
> giving away the "keys to the kingdom" as it were, and would rather keep
> the vulnerabilities to themselves.

This is the root of the problem (no pun intended ;)
What I suggest is that we build IDS's to do what we human beings would do -
examine the system for changes, check all the logs, and report possible
findings to the network administrator. This "artificially intelligent" IDS
would obviously never be as good as having a real human being monitoring the
system, but it would have the advantage of being able to keep an eye on
everything, all the time - no human can do that.

Let's say, for example, that a user cracks your system, and executes /bin/sh
as root. The IDS could take notice of this, but not necessarily report it -
it could just be the system administrator logging in to make changes.
However, the IDS then traces the IP address of the user. If the IDS finds
that this IP is not an approved administrator's IP, it could log off the
user and report to the administrator. Or, it could just log all of the
actions of the user, and report those to the administrator. Granted, there
are inherent difficulties in writing an IDS that can do what I've described,
but it does seem within the realm of the possible.

Now, imagine combining this AI-type of approach with a signature-based
approach. However, broaden the signatures to include possible or probable
attacks, instead of known attacks. Your IDS could flag a possible attack,
and then watch the user's actions to determine if it is an actual attack. I
understand that the scenarios for an actual attack are countless, but system
admin's could write custom scenarios that pertain to their particular
topology.

Does this make sense?

Kevin

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]