For any of you who have an interest in IDS I have come across two articles that are fascinating reading. The first article is an analysis of models and techniques for testing IDS signatures to ensure that they adequately match and detect attacks. It includes links to a broad collection of tools and further reading.
The second article is a topic that greatly interests me – the use of Bayesian statistical analysis to reduce the volume of false positives detected by your IDS. Bayesian analysis is already used by a number of anti-spam tools, such as SpamAssassin, to help reduce the volume of email incorrectly marked as spam. It also appears to have solid applications in IDS tuning. That tuning can be a truly black art at times and finding the real attacks in amongst the network noise and false positives can be problematic. Traditional IDS uses signature matching, which tries to match network traffic against the signature of an attack. In many cases legitimate network traffic can also match attack signatures and thus incorrectly identified by the IDS as an attack. These false positives all need to be identified, checked and reviewed. This can add enourmous management and reporting overhead to an IDS solution.
With Bayesian analysis network data is accumulated and analysed. During this phase both false positives and real attacks are flagged and feed into a statistical model. After a suitable volume of data is accumulated patterns start to emerge in the model. These patterns reveal which traffic is statistically identifable as a false positive and which is a malicious attack. These patterns are then applied to new network data. The patterns provide a more accurate indicator of false versus malicious traffic and significantly reduce the number of false positives identified by the IDS. Additionally this new network traffic is also feed into the model and analysed, further refining the model.
The results of a study run by the authors of the article indicate that using Bayesian analysis halved the number of false positives recorded by the IDS. Anything that so significantly increases the probability of your IDS only alerting on a genuine attack greatly enhances the security of your networks. Further developments in this area should prove extremely interesting.
