Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Stuart Staniford (sstanifordFireEye.com)
Date: Wed Mar 25 2009 - 19:31:09 CDT
On Mar 25, 2009, at 11:07 AM, Addepalli Srini-B22160 wrote:
> Hi Ravi,
> Regular expression based matching (however good they are) on raw data
> does not work in these cases. There are too many variations that are
> possible. You gave one example. But many more are possible as
> is a programming language and there are many ways to create a string.
> Some support is required in the network devices to decode HTML pages
> java scripts to normalize the data before analyzing rules. I am not
> aware of any IDP device in the market today that does java script and
> HTML page analysis.
We (FireEye) do :-)
Our device is not a general purpose IDS, but, in it's main mode of
use, is oriented to detecting both callbacks of bots, and web-based
installation of bots by drive-by downloads (by monitoring egress
network links). For a typical enterprise, most desktop compromises
are now occurring as a result of the web so this is a fairly useful
set of functionality.
The latter (infection-detection) functionality is pretty new. We do a
two stage analysis - in the first stage, we do a fast parse of the
techniques to decide that it's suspicious (eg it's clearly
obfuscated). The suspicious stuff is then replayed to an actual
browser/OS/set of plugins in an instrumented virtual machine. That
makes the final decision (which eliminates the false positive problems
that otherwise plague statistical anomaly detection techniques). We
have 6-12 VMs running at all times in the appliance on whatever looks
most suspicious right then.
Chief Scientist, FireEye.