Current research on IDS

Hello,

I would like to familarize with the current state of art (and research) on IDS. Unfortunately when I tried to contact with some widely-known scientific groups (columbia university, ibm zurich, etc.) I was informed that they reduced or even stopped working on that problems. Therefore I am wondering - does IDS is still being researched in scientific (academic) community? Is yes, could you give me some hints to the places where it is being researched and what are hot topics nowadays? Thank you very much!

Regards, mark

> I would like to familarize with the current state of art (and research) on
> IDS. Unfortunately when I tried to contact with some widely-known scientific
> groups (columbia university, ibm zurich, etc.) I was informed that they
> reduced or even stopped working on that problems. Therefore I am wondering -
> does IDS is still being researched in scientific (academic) community? Is
> yes, could you give me some hints to the places where it is being researched
> and what are hot topics nowadays? Thank you very much!

Some months ago the "RAID 2006, 9th International Symposium On Recent
Advances In Intrusion Detection" took place in Hamburg, Germany. I
didn't attend, but you can see the program and the committees online.
Since they talked three days about the recent advances I think: Yes,
there's still research ...

http://www.raid06.tu-harburg.de/


--
Karsten Iwen
Network- and Security Consultant/Trainer

CISSP
CCIE #14602 (Security)
CCSI, CCSP, CCIP, CCNP, CCDP
MCSE: Security
http://www.iwen.de

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

On Wed, 2007-01-10 at 03:02 -0800, markospl wrote:
> Therefore I am wondering - does IDS is still being researched in scientific
> (academic) community? Is yes, could you give me some hints to the places
> where it is being researched and what are hot topics nowadays?

Err! Check out the annual RAID symposium (Recent Advances in Intrusion
Detection) to learn about (a) people involved in academic IDS research
and (b) a lot of interesting topics.

        http://www.raid-symposium.org/

List of RAID publications at Springer:

        http://tinyurl.com/yaftja

Regards,
Konrad

--
  Konrad Rieck <konrad.rieck@...>
  Fraunhofer Institute FIRST - Intelligent Data Analysis Group (IDA)
  Kekulestr. 7, 12489 Berlin - Phone: (+49) 30 6392-1870, Fax: -1879


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Hi Mark,

IDS/IPS research is still on..

From what I know, the RAID (Recent Advances in Intrusion Detection) 2007
symposium will be held for 10th consecutive year.

CERIAS at Purdue University are still quite active, as well as NC State
University at NY, Lincoln Laboratory at MIT, IDS Lab at Columbia, UC Davis,
Carnegie Mellon, Microsoft Research, Mc Afee, etc.

However, there is a major change to the topics that IDS research is
currently addressing. It is true that behavioral analysis & pattern
recognition are quite mature to be further developed (this doesn't mean that
there is not heavy research on these topics). Current hot topics, to the
best of my knowledge, are automatic signature generation, rate-limiting
mechanisms, mimicry attack prevention techniques, etc.

What seems to be of interest is integration of Intrusion
Detection/Prevention with vulnerability assessment, standardization of
vulnerability reporting and vulnerability semantics (however elementary this
may seem, it is not yet resolved), integration with Security Information
Management Systems, active responses, etc.

Personally, I am working with a number of researchers on evolving the
so-called "Intrusion Management Systems", a technology that can
automatically produce and enforce adaptive and active response policies by
concurrently addressing vulnerabilities, exploits and IDS signatures on
distinct network flows. We have come to a number of unaddressed issues that
have to be resolved before proceeding.

Regards,

Dimitrios G. Patsos

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of markospl
Sent: Wednesday, January 10, 2007 1:02 PM
To: focus-ids@...
Subject: Current research on IDS


Hello,

I would like to familarize with the current state of art (and research) on
IDS. Unfortunately when I tried to contact with some widely-known scientific
groups (columbia university, ibm zurich, etc.) I was informed that they
reduced or even stopped working on that problems. Therefore I am wondering -
does IDS is still being researched in scientific (academic) community? Is
yes, could you give me some hints to the places where it is being researched
and what are hot topics nowadays? Thank you very much!

Regards, mark
--
View this message in context:
http://www.nabble.com/Current-research-on-IDS-tf2951848.html#a8255648
Sent from the IDS (Intrusion Detection System) mailing list archive at
Nabble.com.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Hi Mark,

Interesting question. There is in fact quite a bit of research going on
in the field of intrusion detection. Perhaps interesting to know is that
there is a lot of applied work as well - at the end of August, the
Computer Security Research Centre at NIST published a draft special
publication 800-94, which serves as a guide to people considering the
use of Intrusion Detection and Prevention systems.

This draft document, while it doesn't constitute research 'pur sang',
does indicate a large degree of interest in the commercial space as to
where and how to implement these types of technical controls. You can
find it here:

http://csrc.nist.gov/publications/drafts/Draft-SP800-94.pdf

Most research on IDS focuses on taking the model a step further. Gone
are the days when regex-matching signatures were the main focus of
intrusion detection. While they still underpin most production usage
today, not all modern threats lend themselves to detection using these
fairly simple mechanisms. This is especially valid for one-off's,
attacks designed specifically to attack a certain organization, often
used in industrial espionage.

What is gradually being understood is that the art of intrusion
detection requires a solid intelligence underpinning. That's why I'm
going to refer you to a document which is in fact unrelated to IDS - it
deals with a technical solution to an "intelligence problem".
Nevertheless, as someone with a background in deploying enterprise IDS
systems, this is probably one of the more interesting papers I've read
over the last few months.

"Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual
Behavior", by a number of researchers at RAND:

http://www.rand.org/pubs/monographs/MG126/index.html

The gradual realization of this move from detection to actually
benefiting from the information gathered through IDS is one of the
reasons why we're seeing so much use of SIM tools and even event
correlation on the sensor level. This branch of software now offers much
more than simple correlation and matching, it has truly become one of
supporting analysis and synthesis of security intelligence.

Actual work on improving detection is mainly focused on the use of
hidden markov models. You have an event A, influenced by (or correlated
to, by a known probability) an environment B. An object C describes the
value of event A, but nothing about environment B. Based on what you
learn from C, you do not know B but you can deduce the likelihood of its
state over time.

In the field of intrusion detection this translates to new methodologies
of profiling actions initiated by users to identify those that do not
match with the expected behavior. These usually are self-learning
systems as opposed to those that use 'rules' to detect when something
happening on a system or network is an anomaly. One of the major
challenges is for these systems to take into account base-rate
information, or information that should influence the way all learned
items is interpreted. Defining boundaries on what influences human
behavior requires a sociological perspective on intrusion detection.

Other intriguing research deals with how to combine intrusion detection
probes with other technologies to make them more effective. A
preliminary step was to combine probe output with information gathered
from vulnerability assessment systems. This allowed for a correlation on
the network between vulnerabilities and threats.

Further steps that will gradually move from the academic field onto the
market are the linking of IDS probes with honeypots to e.g.
automatically generate signatures based on probable attacks. While the
certainty of such event truly being an attack will never be absolute, a
signature (or profile, if you wish) can then automatically be
distributed across the probe base. Once an incident has been confirmed
to be an actual attack, information security analysts will be able to
identify the spread of a certain attack pattern across the organization.

The sector is about to get real interesting.

Cheers,
Maarten

--
Maarten Van Horenbeeck, CISSP
maarten@... - http://www.daemon.be/maarten

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Don't forget to check out where industry is on all of this. For example
the security information management market is something to look into.
There we have been doing the "vulnerability-IDS" feed correlation for a
long time.
Also the automated procedures for active response is something that is
used in production to date. [Let's not get into a discussion whether
that's smart or not. There are cases where it absolutely is!]

My 2 cents

  -raffy

--

Raffael Marty, GCIA, CISSP                    raffael.marty@...
Manager                                  Strategic Application Solutions
ArcSight, Inc.                                         +1 (408) 864 2662
http://secviz.org

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------