December 24, 2005

Information Security Magazine August 2005 – NBAD

Category: Security Article Reviews — Raffael Marty @ 6:48 am

I am not sure in what century this article was written. I know, August is almost half a year back, but still, have you not heard of anomaly detection?

The article triggers another question that constantly bugs me: Why do people have to – over and over – invent new terms for old things. I know, most of the times it’s marketing that is to blame, but please! Have you heard of NBAD (network based anomaly detection)? Well, I have and thought that was the term used in the industry. Well, apparently there is another school of thoughts calling it NAD (network anomaly detection). That’s just wrong. How long have we had anomaly detection? I remember some work written around 5 years ago that outlined the different types of IDSs [btw, I learned from Richard at UCSB that it’s not IDSes, but IDSs]: behavioral based and knowledge-based ones. Or as other call them, anomaly based and signature based. I will try to find the link again for the paper, which originated at IBM Research in Zurich. [Here it is: A Revised Taxonomy. for Intrusion-Detection. Systems by H. Debar, M. Dacier, and A. Wepsi.] So when the author says:

… it helps to understand the differences between it [NAD] and a traditional IDS/IPS.

What does he mean by traditional? Anomaly based systems are IDSs and are among the first ones that were built. So where is the difference?

Let’s continue to see what other things are kind of confusing in the article that is trying to explain what NAD is. The main problem with the article is that it’s imprecise and confusing – in my point of view. Let’s have a look:

NAD is the last line of defense.

Last line? I always thought that host-protection mechanisms would be the last line or something even beyond that, but network based anomaly detection? That’s just wrong!

NADS use network flow data…

Interesting. This is still my definition of an NBAD. Maybe the author is confusing NBADs with anomaly detection. Because anomaly-based IDSs are using a whole range of input sources, and not necessarily network flow data.

NAD is primarily an investigative technology.

Why is that? If that’s really the case, why would I use them at all? I could just use network flow data by itself, not needing to buy an expensive solution. NAD (I am sticking with the author’s term), combined with other sources of information is actually very very useful in early detection, etc. Correlate these streams with other stremas and you will be surprised what you can do. Well, just get a SIM (security information management) to do it for you!

Another thing I love is that _the_ usecase called out in the article is detecting worms. Why is everyone using this example? It’s one of the simplest things to do. Worms have such huge footprints that I could write you a very simple tool that detects one. Just run MRTG and look at the graphs. Huge spike? Very likely a worm! (I know I am simplifying a bit here). My point is that here are harder problems to solve with NAD and there are much nicer examples, but the author fails to mention them. The other point is that I don’t need a NAD for this, even SIMs can do that for you (and they have only done that for about three years now, although the author claims that SEMs (how he calls SIMs) are just starting to do this. Well, he has to know.)

I love this one:

Security incident deteciton typically falls into two categories: signature- and anomaly-based. These terms are so overused …

So NAD is not overused? I actually don’t think they are very overused. There are very clear definitions for them. It’s just that a lot of people have not read the definitions and if they have, don’t really understand them. (I admit, I might not understand them either.) [For those interested, google for: A revised taxonomy for intrusion detection systems]

NAD’s implied advantages include reduced tuning complexity, …

This is again not true. Have you ever tried to train an anomaly detection system? I think that’s much harder than tuning signatures. The author actually contradicts his own statement in the next sentence:

NADS suffer from high false-positive rates…

Well, if it’s so easy to tune them, why are there many false-positives?

What does this mean:

Network anomaly detection systems offer a different view of network activity, which focuses on abnormal behaviors without necessarily designating them good or bad.

Why do I have such a system then? That’s exactly what an anomaly detection system does. It lears normal behavior and flags anomalous behavior. Maybe not necessarily bad behavior, but certainly anomalous!

The case study presented is pretty weak too, I think. Detecting unusual protocols on the network can very nicely be done with MRTG or just netflow itself. I don’t need an NAD (and again, I think this should really be NBAD) for that. By the way, a signature-based NIDS can do some of that stuff too. You have to basically feed it the network usage policy and it can alert if something strange shows up, such as the use of FTP to your financial servers. So is that anomaly detection? No! This goes along with the article claiming that NADs check for new services appearing to be used on machines. I always thought that was passive network discovery. I know things are melting together, but still! Oh, and protocol verification is anomaly detection? No! It’s not. Where is the baseline that you have to train against?

Finally, why would an NAD, or NBAD for that matter, only be useful in an environment that is, quote: “stable”? I know of many ISPs that are using those systems and they for sure don’t have a stable environment!

Well, that’s all I have…

No Comments »

No comments yet.

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .