Instituciones asistenciales

The most common and well-understood misuse-detection approach within modern IDS is to utilize one or more pattern matching signatures for each identifiable attack or compromise. This is commonly termed “signature-based detection” and is often desireable because of its precision and simplicity.

A “signature” in IDS parlance is a set of patterns (or in some cases preconditions) which identifies a known threat (as uniquely as is possible or practical) [23, 82]. Signatures in many detection systems are often very precise and consequently expensive to compute. These systems have a resultingly low false positive rate, but generally require at least a single signature for each vulnerability, exploit, or attack vector (each signature representing a series of potentially costly computations.) These signatures must often be kept as simplistic and as compact as possible for purposes of performance and this results in brittleness. Nonetheless, signature-based detection is often desirable due to its simplicity. There is a direct and easily understood mechanism which relates the features of network traffic to identification of malicious events.

Each signature is composed of explicit patterns, bytes, strings, field values, expressions, and preconditions. Signatures are most often pre-filtered by matching against protocol attributes first (both IP packet and TCP session headers and payloads) and expensive string matches and regular expressions second. Signature-based approaches can be performed very efficiently using pre-compiled expressions, careful management of feature ordering, and automated binning and pre-filtering of incoming traffic such that signatures only “see” traffic that is relevant (e.g. by static fixed signature fields of protocol, port, address, etc.).

Unfortunatley, signature-based intrusion detection system approaches seem to have been recently neglected by the research community. Few significant gains in the tractability of IDS have been made in the last few years while many of the scalability issues have been hidden by modern achievements in computing performance and parallelization. Many previously identified issues have simply been swept away by engineering slight-of-hand, current systems making gross compromises in the name of engineering feasibility and often requiring a highly trained staff to manage even a single deployed IDS[59].

Within existing threat detection and threat response systems, design and configuration compromises abound. In particular,

• Computationally short-circuiting the detector to only alert on the first (or a limited number) of detected events can allow attackers to “game” intrusion detection systems by flooding these systems with irrelevant information.

• Denial-of-service (DOS) and flooding attacks often cripple IDS and prevent detection of more important attacks masked by the DOS.

• Tuning an IDS to achieve better performance (by removing apparently irrelevant, old, or noisy signatures) decreases the IDS coverage of existing threats. The resulting poor coverage of a “tuned” IDS can also allow obscure and “obsolete” attacks to older systems to go completely unnoticed.

• Removing signatures based on the need to eliminate spuriously large numbers of false positives allows attackers to circumvent detection by making it appear that an alert is a false positive. It is generally trivial to generate traffic to match a detection signature. Using crafted packet traffic, an attacker can generate false positives in obnoxious numbers, resulting in the alert’s subsequent removal (tuning) by administrators. • Lack of adaptive mechanisms within IDS can allow new attacks to proceed unhindered

• Lack of industry-wide standards, incentives, and protocols for sharing information (intellectual property in the form of IDS signatures/patterns) results in poor coverage for all.

The sizes of signature-sets is often kept as small as possible to allow detection systems to perform under peak network loads. Consequently, these system suffer poor recall due to lack of sufficient coverage of exploits and variants. These limited signature-sets often even preclude comprehensive coverage of expected vulnerabilities and exploits. The Snort IDS, one of the most widely deployed, currently includes approximatley 18,000 signatures. This limited signature-set covers only a small fraction of the known threats.

For similar reasons, signatures are written to cover vulnerabilities rather than exploits, resulting in a lack of insight into the active attackers methodology and toolset. Without these insights, defensive postures and response actions are generally performed blindly. It is as if we can recognize that the shooter is using some form of projectile weapon through an office window, but we have no idea whether he is using a rock, a .22, or a bazooka.

Even with severely limited signature-sets, the flood of resulting alerts is often too much for a human analyst to reason about, requiring complex aggregation systems to cluster, correlate, and corroborate a fire-hose of (mostly) irrelevant information. From an analyst’s perspective the deluge of data produced by an IDS has the outward appearance of high- coverage, scalable detection. The essential approach to the dealing with the fire-hose is to filter, aggregate, and annotate known attacks and unknown anomalies[92]. In theory and practice this helps, but does not address (and actually serves to hide) the underlying problem of the poor coverage and poor performance of the detector. As a result, signature-based systems tend to be either too brittle or too expensive. And in a complementary manner, anomaly-based systems tend to be either to noisy but robust or acceptably quiet but useless. The daunting scale and scope of future requirements is likely to make brute-force IDS intractable without a huge economic cost in hardware and manpower. Arguably, such

systems currently achieve only marginal utility, representing simultaneously (and non- intuitively) both the best precision and the poorest coverage of the actual attack vectors and related network activity.