How to build a Next Generation Intrusion Detection System: Who has the answer?
Stand of the art approaches to detect malware in networks are based on detecting them by an analysis of pattern in a network stream. But what is, if the malware has slipped through all security controls, uses encryption and is commanded and controlled by a human or artificial intelligence?
Next generation intrusion detection systems (Next Gen IDS) have to use other methods to detect attacks than today. The question is not: “Which malware has infected a system, the question is: Which systems are controlled by a bot or a human attacker and how this danger can be stopped in time.
Other threat information than simply malware pattern have to be provided by or to European Incident Response Teams (IRT) and detect more hidden attacks by a Next Gen IDS.
Secunet as industry partner in CONCORDIA is developing intrusion detection systems, encryption systems and firewalls for high security networks. We think that in future newer and further approaches have to be found to defeat against high complex and longtime persistent threats. In CONCORDIA we are working on the question, which technologies are the best to reach that target.
Building a system, which is able to detect something what is not even exactly known, is not easy. Our part in CONCORDIA is to find out, how new technologies like
- traffic analysis,
- anomaly detection (using history data),
- risk analysis (using threat and risk information)
- rule based correlation techniques
- and introspection to examine hosts versus virtual machines
We are working on a Next Gen IDS framework to enhance stand-of-the-art IDS-technologies with newer approaches. Therefore we need the input from researchers from CONCORDIA. Our role is to think about, how new technologies can be used in real world scenarios of the future.
Next Gen IDS Overview
Next Gen IDS Systems uses other detection technics than today. The aim is not to gather millions of security events, to let a human do the day by day analysis and think about what to do next and how to react. Next Gen IDS systems have to be more intelligent and more specific to detect and react against a compromised system in a network.
(By Martin Woitke, Secunet)