Friday, August 25, 2006

On "Behavior vs. Innovation"

So, I was reading this blog by the eEyE guy and he mentioned that some of the techniques used to fight fraud in the banking industry (such as profiling, etc) won't work too well in network security since the banking is much more static. Specifically, he said: "The premise that underlies most behavior based systems - 'If I haven't seen it before, it's not allowed' - is an Achillies heel in an industry where, by definition, creating what you haven't seen before is it's lifeblood."

I think he is being too harsh on this, 'If I haven't seen it before, it's not allowed' still works pretty well in many areas (such as log analysis), especially if you use a milder version of 'If I haven't seen it before, it's *suspicious*'...

1 comment:

Ross Brown said...

Dr. Chuvakin,

Thanks for reading the post; while I think behavioral based assessment is a field that can yield results in specific fields, in security, it requires a lot more finesse or a tradeoff between usability/functionality and security.

My premise in making my comment was based on the practical experiences we have seen at customers, specifically where CSA and other 'learning mode' products would learn bad behavior (bad being defined as malware running on the network) and not learn the behavior of the tools used to fix or correct the malware, which often triggers the same behaviors (changes to the kernel, registry changes, etc.)

To be an effective security solution, especially on the client side, behavioral solutions need to have a tremendous amount of inference weighting to judge behaviors based on a bayesian model or some other statistical engine, otherwise, a human has to do this for the tool.

At the network layer, it can work, but there is a reason that many folks leave network-based security products in 'log-only' mode.



Dr Anton Chuvakin