Re: Hallo everybody
tlunt@ARPA.MIL
Thu, 15 Sep 1994 16:01:49 -0400 (EDT)
I agree that the sort of standardization called for here is desired.
Not only standardizations of various data formats (and not just
for Unix!!!), but also interface standards for interchangeable and
interoperable IDS components. Then these components could be used
in other systems, such as firewalls, key management centers, network
management workstations, etc.
Before we do this, or perhaps in parallel, I'd like to see some
demonstration of the effectiveness of the intrusion-detection
components at detecting bad things. No point in standardizing
unproven technology. Also, we need to evaluate the effectiveness
or suitability of the types of audit data collected, as pointed out
by one of the contributors below, before we standardize on it.
Teresa
========
Date: Fri, 16 Sep 1994 01:22:24 +1000 (EST)
From: ruf%SPi@wyrm.cc.uow.edu.au (Justin J. Lister)
Subject: Re: Hallo everybody
"adamsb@un.org wrote:"
>From owner-ids@uow.edu.au Thu Sep 15 22:50:48 1994 +1000
>Received: from wyrm.cc.uow.edu.au by osiris.cs.uow.edu.au with SMTP
> (5.65c/IDA-1.5); id AA18117; Thu, 15 Sep 1994 22:50:44 +1000
> (from owner-ids@uow.edu.au for <ruf@osiris.cs.uow.edu.au>)
>Received: (from daemon@localhost) by wyrm.cc.uow.edu.au (8.6.9/8.6.9) id
WAA23133 for ids-outgoing; Thu, 15 Sep 1994 22:43:37 +1000
>From: adamsb@un.org
>Date: Thu, 15 Sep 94 08:44:39 EST
>Message-Id: <9408157796.AA779643879@un.org>
>To: ids@uow.edu.au
>Subject: Re: Hallo everybody
>Sender: owner-ids@uow.edu.au
>Precedence: bulk
>Reply-To: ids@uow.edu.au
>Given that a standard audit record format seems to be fairly important to
>several different intrusion detection systems, is there any work by any of
>the US standards bodies or by any international standards bodies on the
>development or adoption of a standard audit record format?
This is one issue I (along with my supervisors) have been pondering
for some time (I suggested this as a possible discussion topic for the
Intrusion Detection Workshop). It is small part of a much larger
problems. Then need for universal intrusion detection systems (or
standardization of components of the basic ids components).
So far we have already seen the system independant audit record format
proposed by Denning. But as defined the audit format hasn't seemed to
become any so called "defacto" standard.
While I have not yet completed the section on this issue, I should
offer some points for general discussion. Even though I have come to
some conclusions it would be interesting to see others responses.
* Not just developing a working group (or standards committee) for
defining audit trail is necessary, but rather dealing with the various
components of the ids systems. That is it should be possible to
standardize various components:
auditing, decisioning, reasoning, preventive and reporting.
* The most common detection mechanisms developed so far: (generalised)
profiling for deviation detection -
statistical (bayesian) or neural (multivariate time-series)
known scenario detection (intrusive or supicous action detection) -
rule-based or fuzzy logic.
* It should be possible to define a framework in which different
components can be interchanged. Defining a universal audit subsystem
allows others to work on developing decision systems.
* It is important to note that current audit information from many
operating systems is not ideal (one such area is the ability to update
the audit mechanism on the fly - ie. extending/reducing the type of
auditing).
* Defining mechanisms for passing information between components gives
us a basic framework on which new ideas may be tested. Standarization
of the audit format, storage types (for profiles, rule encoding) and
communications between components are the essential ingrediants
(leaving the actually decisioning/reasoning core algorithms for
individual development).
- however is the technology at a point where standarization is currently
feasible ?
There are many benefits of working to achieve such goals.
* An important point is that development should occur in the open
community, leading to wider range of experience and development of
framework that is practical for varied environments, as well as
greater depth in ongoing development and testing.
* It is however clear that standarization is necessary before we would
see any large acceptance towards any specific approach being adopted
across wide range of platforms.
>Despite the hype by various vendors, the different flavours of Unix all
>seem pretty similar.
While appearing similar above ground, they are very different on the
insides. However it does show that abstraction is a wonderful beast.
What is the saying ? "Any software problem can be solved by adding
another layer of indirection" - Bellovin.
> X.400 was developed as a standard for electronic mail
>between widely different operating systems, so a standard audit record
>format, which would be a lot simpler than X.400, should be feasible.
I would hesitate to assume that a suitable audit format would be a
simple solution (it requires ability to work across very different
beasts if intrusion detection systems are to become widely used
tools).
> Hog Farmer
> Tropical Hog Improvement Programme
> adamsb@un.org
>{ Everything I need to know about life, I learned from a pig (and a VAX) }
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+