10117 Snort Alerts in 18 Hours
10117 Snort Alerts in 18 Hours

A quick note regarding intrusion detection systems (IDS)…

The illustration in this post show a clustered graph of 10,117 Snort alerts (over an 18 hour period) clustered into 786 nodes and 785 links.  These are just “raw alerts” by Snort and there were no system breaches or intrusions – just noisy IDS alerts.

As you can easily see from this 18 hour snapshot of over 10,000 IDS alerts, intrusion detection systems are generally a very noisy sensor and therefore should be treated as such.   IDS have a very low signal-to-noise ratio.  Indeed, there are so many raw IDS alerts over the course of a day for most systems that it takes a lot of processing to extract meaningful info from the myriad noisy-soup of IDS alerts.

Because of this very low low signal-to-noise problem, an experienced attacker can easily set off IDS alerts in the form of a “fake attack” and then the attacker can go off and attack something else or somewhere totally different – attacking the “real” target.

It’s no different than starting a fire on one street and then going to rob the bank a few streets down or on the other side of town. Everyone responds to the diversion fire and then it’s easy to rob the bank!  Looking at this visual of over 10,000 Snort “raw alerts” in less than 18 hours, it’s no surprise that many organizations simply turn-off their IDS to save disk space.

For those who keep their IDS turned on, many people and organizations become the “IDS fool” because they hope to rely on a very noisy sensor that can easily be used against the organization by a knowledgeable attacker.

What all this means is that creating cyberspace situational awareness is  critically important because we need to create cyber situational knowledge from noisy sensor data fused with other sensors, and human knowledge.

A blast from the past:  Intrusion Detection Systems and Multisensor Data Fusion,  Communications of the ACM 43(4):99-105 · April 2000, DOI: 10.1145/332051.332079.

Quote:

“The vast majority of security professionals would agree that real-time ID systems are not technically advanced enough to detect sophisticated cyberattacks by trained professionals. For example, during the Langley cyberattack the ID systems failed to detect substantial volumes of email bombs that crashed critical email servers. Coordinated efforts from various international locations were observed as hackers worked to understand the rules-based filter used in counter information operations against massive email bomb attacks.”

“At the other end of the technical spectrum, false alarms from ID systems are problematic, persistent, and preponderant. Numerous systems administrators have been the subject of an ID system reporting normal work activities as hostile actions. These types of false alarms result in financial losses to organizations when technical resources are denied access to computer systems or security resources are misdirected to investigate nonintrusion events. In addition, when systems are prone to false alarms, user confidence is marginalized and misused systems are poorly maintained and underutilized.”