Applying Information Warfare theory to generate a higher level of knowledge from current IDS.

Presented at DEF CON 9 (2001), July 14, 2001, 10 a.m. (50 minutes).

The two greatest weaknesses of Intrusion Detection Systems (IDS) are the ease of which they may be evaded and their tendency to generate vast amounts of false alarms. Sophisticated attackers are able to easily avoid detection, maintaining a low profile by spreading out the attack both in time and (network) space. Meanwhile alerts are generated by normal user activity. IDS have not yet reached a level where they can reliably detect and assess advanced attacks while being able to separate normal user activities.

This presentation discusses the use of Information Warfare theory, combined with multiple target tracking algorithms to generate a higher level of knowledge from current IDS. Instead of looking at IDS as the final stage in attack determination, it becomes the first stage. The IDS are treated as sensors on our network gathering information that is fed into a data fusion engine. By gathering information from different types of IDS and other sensors distributed throughout one or more networks, we aim to generate a higher level of knowledge, a situational awareness, that paints a much clearer picture of the activity on out networks.

By combining and fusing data gathered from many independent networks, it is possible to move away from the traditional defensive posture of network security. In its place we are given more of bird's eye view of the scene, and are able to see the activity of individual attackers spread out across many networks.

This presentation is based on research being conducted at the Institute for Security Technology Studies (ISTS), a federally funded research institute housed at Dartmouth College. A demonstration of the data fusion / target tracking system will be provided during the presentation.

Presenters:

• Daniel J. Burroughs - Research Engineer
  Daniel first became interested in computer security shortly after getting a 300 baud modem to connect his C64 to the outside world. Since that time he has moved on to bigger and (somewhat) better things. These have included work in virtual reality systems at the Institute for Simulation and Training at the University of Central Florida, high speed hardware motion control software for laser engraving systems, parallel and distributed simulation research at Dartmouth College, and most recently distributed intrusion detection and analysis at the Institute for Security Technology Studies. He is also the proud owner of a DefCon leather jacket won at Hacker Jeopardy at DefCon 8. Institute for Security Technology Studies (www.ists.dartmouth.edu) Investigative Research for Infrastructure Assurance (www.ists.dartmouth.edu/IRIA) The Institute and its core program on cyber-security and information infrastructure protection research serve as a principal national center for counter-terrorism technology research, development and assessment. It is funded by the U.S. Justice Department's National Institute of Justice, Office of Science and Technology to which it will also provide technical support. The Institute studies and develops technologies addressing counter-terrorism especially including counter-cyber terrorism issues in the areas of threat characterization and intelligence, threat detection and interdiction, preparedness and protection, response, and recovery.

Links:

• https://defcon.org/html/defcon-9/defcon-9-speakers.html#Daniel Burroughs

Similar Presentations:

• ToorCon San Diego 1 (1999) / IDS: What are they and how can we use them?
• DEF CON 10 (2002) / Correlation and Tracking of Distributed IDS
• DEF CON 8 (2000) / Saint Jude: Modeling, Detecting and Responding to Unauthorized Root Transitions