Signature no longer valid

Signature-based intrusion detection is already obsolete not only because of the technology's information management deficiencies but also because there are too many ways to fool it.

Signature-based intrusion detection is already obsolete not only because of the technology's information management deficiencies but also because there are too many ways to fool it.

Even Internet Security Systems realizes that signatures aren't cutting it any longer. Last month, it announced a new threat prevention component to Proventia that relies less on signatures and more on vulnerability management.

Attack and penetration test tool kits, such as Canvas and MetaSploit, can change attack patterns on the fly. MetaSploit also includes tools that encode shellscripts (executable hacker code), encrypt the remote shell connection and do application layer fragmentation in such random, tiny bits that they can't be analyzed by the most well-tuned IDS sensor.

"Imagine if an IDS had to decode everything that went by. Then on top of that, what if everything was sent in small packets. Let's say the slash came across in one packet, 'b' in another 'i', and 'n' in two more," says Jose Avila, founder of H.E. Security Group.

IDSs can't see an encrypted remote-shell connection because they can't perform application-layer de-fragmentation - it would take too much processing power, among other things. Furthermore, IDS sensors will only alert on shellscript if it matches a signature, which is easy to change by encoding it.

There are many other ways to get around signature-based IDS systems, so it's no wonder vendors are going crazy with other monitoring, correlation and blocking technologies.

Back to feature: "The evolution of IDS"

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.