A quick note regarding intrusion detection systems (IDS)…
The illustration in this post show a clustered graph of 10,117 Snort alerts (over an 18 hour period) clustered into 786 nodes and 785 links. These are just “raw alerts” by Snort and there were no system breaches or intrusions – just noisy IDS alerts.
As you can easily see from this 18 hour snapshot of over 10,000 IDS alerts, intrusion detection systems are generally a very noisy sensor and therefore should be treated as such. IDS have a very low signal-to-noise ratio. Indeed, there are so many raw IDS alerts over the course of a day for most systems that it takes a lot of processing to extract meaningful info from the myriad noisy-soup of IDS alerts.
Because of this very low low signal-to-noise problem, an experienced attacker can easily set off IDS alerts in the form of a “fake attack” and then the attacker can go off and attack something else or somewhere totally different – attacking the “real” target.
It’s no different than starting a fire on one street and then going to rob the bank a few streets down or on the other side of town. Everyone responds to the diversion fire and then it’s easy to rob the bank! Looking at this visual of over 10,000 Snort “raw alerts” in less than 18 hours, it’s no surprise that many organizations simply turn-off their IDS to save disk space.
For those who keep their IDS turned on, many people and organizations become the “IDS fool” because they hope to rely on a very noisy sensor that can easily be used against the organization by a knowledgeable attacker.
What all this means is that creating cyberspace situational awareness is critically important because we need to create cyber situational knowledge from noisy sensor data fused with other sensors, and human knowledge.
A blast from the past: Intrusion Detection Systems and Multisensor Data Fusion, · April 2000, DOI: 10.1145/332051.332079.
“The vast majority of security professionals would agree that real-time ID systems are not technically advanced enough to detect sophisticated cyberattacks by trained professionals. For example, during the Langley cyberattack the ID systems failed to detect substantial volumes of email bombs that crashed critical email servers. Coordinated efforts from various international locations were observed as hackers worked to understand the rules-based filter used in counter information operations against massive email bomb attacks.”