понедельник, 29 марта 2010 г.

перевод к 1.04

Вариант перевода терминов первой части текста выполнен А.Федотовым:

система обнаружения - Detection system
недостатки - disadvantages
реализованным методам обнаружения - embodied detection techniques
методологии построения -design techniques
недостаточностью общих соглашений - inadequacy of common agreements
Эффективность -efficaciousness
приводит – leads to
наблюдаемых событий - observed events
командные интерпретаторы экспертных систем command interpreter of expert systems
обрабатывают свое собственное множество правил process their own set of laws
непрямые зависимости последовательности связей между событиями indirect dependencies of event connection sequence
До сих пор so far
конкретном оборудовании сщтскуеу уйгшзьуте
достаточно трудно hard enough
похожую политику безопасности similar security policy
по перемещению СОВ the moving OWLs task - вариант не из словаря
значительные доработки substantial overpatching


Недостатки существующих систем обнаружения

Недостатки современных систем обнаружения можно разделить на две группы – недостатки, связанные со структурой СОВ, и недостатки, относящиеся к реализованным методам обнаружения.

Недостатки структур СОВ.

  1. Отсутствие общей методологии построения. Частично это можно объяснить недостаточностью общих соглашений в терминологии, так как СОВ – это достаточно новое направление, основанное Андерсоном (J.P. Anderson) в 1980 г. [14].
  2. Эффективность. Часто методы системы пытаются обнаружить любую понятную атаку, что приводит к ряду неудовлетворительных последствий. Например, при обнаружении аномалий существенно потребляются ресурсы – для любого профайла требуются обновления для каждого из наблюдаемых событий. При обнаружении злоупотреблений обычно используются командные интерпретаторы экспертных систем, при помощи которых кодируются сигнатуры. Очень часто эти командные интерпретаторы обрабатывают свое собственное множество правил и, соответственно, также потребляют ресурсы. Более того, множество правил разрешает только непрямые зависимости последовательности связей между событиями.
  3. Портативность. До сих пор большинство СОВ создается для использования на конкретном оборудовании, и достаточно трудно использовать их в другой системе, где требуется реализовать похожую политику безопасности. Например, задача по перемещению СОВ из системы, в которой поддерживается только одноуровневый список доступа, в систему с многоуровневой довольно сложна, и для ее решения потребуются значительные доработки. Основной причиной этого является то, что многие СОВ наблюдают за определенными устройствами, программами конкретной ОС. Также следует заметить, что каждая ОС разрабатывается для выполнения конкретных задач. Следовательно, переориентировать СОВ на другие ОС достаточно сложно, за исключение тех случаев, когда ОС разработаны в каком-то общем стиле.
  4. Возможности обновления. Очень сложно обновить существующие системы новыми технологиями обнаружения. Новая подсистема должна взаимодействовать со всей системой, и порой невозможно обеспечить универсальную возможность взаимодействия.
  5. Для установки СОВ очень часто требуются дополнительные навыки, существенно отличающиеся от навыков в области безопасности. Например, для обновления множества правил в системах обнаружения злоупотреблений требуются специализированные знания экспертной системы. Подобное можно сказать и про статические измерения системы обнаружения аномалий.
  6. Производительность и вспомогательные тесты – трудно оценить производительности СОВ в реальных условиях. Более того, отсутствует общий набор правил для тестирования СОВ, на основании которых можно было сказать о целесообразности использования данной системы в конкретных условиях и получить какие-то количественные показатели.
  7. Отсутствие хороших способов тестирования.

Недостатки методов обнаружения:

  1. недопустимо высокий уровень ложных срабатываний и пропусков атак;
  2. слабые возможности по обнаружению новых атак;
  3. большинство вторжений невозможно определить на начальных этапах;
  4. трудно, иногда невозможно, определить атакующего, цели атаки;
  5. отсутствие оценок точности и адекватности результатов работы;
  6. невозможно определять «старые» атаки, использующие новые стратегии;
  7. сложность обнаружения вторжений в реальном времени с требуемой полнотой в высокоскоростных сетях;
  8. слабые возможности по автоматическому обнаружению сложных координированных атак;
  9. значительная перегрузка систем, в которых функционируют СОВ, при работе в реальном времени;
  • J.P. Anderson, Computer Security Threat Monitoring and Surveillance // James P. Anderson Co., Fort Washington, PA, April. 1980.
    • from http://www.citforum.ru/security/internet/ids_overview/#5
    Автор: на

    22 комментария:

    1. roman kachinambyr30 марта 2010 г. в 10:02

      Disadvantages of present detection systems

      Disadvantages of present detection systems can be divided on two groups– the disadvantages associated to structure of dse(я понял как detection systems against enemy) and the disadvantages related to the
      consummated methods of detection.
      Disadvantages of dse
      1)Lack of a common methodology of construction.It can be partially explained as insufficiency of the common agreements in terminology as dse is the new enough direction from the Anderson (J.P. Anderson) in 1980 [14].
      2)efficiency:
      Often system methods try to detect any clear attack it leads to a number of unsatisfactory consequences.For example, when detecting anomalies, substantially consumed resources - for any profile needed an update for each of the observed events.At detection of abusings , command interpreters of expert systems are usually used, With which help signatures are encoded.Very often these command interpreters treat own quantity of rules and, accordingly, also consume resources. Moreover, the quantity of rules resolves only indirect dependences of sequence of links between events.
      3)portability
      Till now the majority dse created for usage on the concrete equipment, and it is difficult to use them in another system, where we need to implement similar security policies.
      For example, the task of moving dse out of system, which supports only single-level list of access, into system with multilevel, it is quite complex, and its solution will require substantial additional work.The main reason for this is that a lot of sde control
      specific devices, through programs
      certain OS.Also note that each
      operating system works for special
      tasks.Therefore, to reorient sde on other OSs difficult enough, except when the Operating systems have the common styles.
      4)Possibilities of upgrade
      upgrade to new technologies of detection it is very difficult for existing systems.The new subsystem must interact with the entire system, and sometimes universal interaction is impossible.
      5)To install sde often require additional skills, significantly different from the skills of security.For example, in detection systems of abusings upgrade of quantity rules require specialized knowledge of an expert system.similar information can be said about the static measurements of anomaly detection system .
      6)Productivity and auxiliary tests – is difficult for estimating
      productivity of sde in actual practice.Moreover, there is no common quantity of rules for testing the sde on the basis of which we can say about the expediency of using this system in specific conditions and to obtain some quantitative index.
      7)Absence of good ways of testing.
      disadvantages of methods of detection:
      1-unacceptably high rate of false positives and omissions attacks;
      2-weak ability to detect new attacks;
      3-Most intrusions can not be determined at the initial stages;
      4-difficult, sometimes impossible, to identify the attacker, target of attack;
      5-lack of an evaluation of accuracy and adequacy of performance;
      6-impossible to define "old" attack using the new strategy;
      7-Complexity of detection of intrusions in real time with sufficient completeness in high-speed networks;
      8-weak capacity for automatically detecting complex and coordinated attacks;
      9-significant overloading of systems (where dse work) , while working in real time;



      уууу много так .
      и текст то чет не простой какой-то.)

      ОтветитьУдалить
    2. cybergluk30 марта 2010 г. в 23:21

      Этот комментарий был удален автором.

      ОтветитьУдалить
    3. cybergluk30 марта 2010 г. в 23:22

      дык, Рома, я же вчера сказала, что можно позднее сдать, не обязательно точно к 1.04.
      А если сложно, то можете мне завтра вопросы задать :)

      ОтветитьУдалить
    4. Unknown31 марта 2010 г. в 06:00

      Disadvantages of existing detection systems

      Disadvantages of modern detection systems can be divided into two groups - the disadvantages associated with the structure of OWL and the disadvantages relating to existing methods of detection.

      Disadvantages of OWL structures .
      1. Lack of a common methodology of construction. It can be partially explained by the lack of general agreement in the terminology because OWL is a new direction founded Anderson (J.P. Anderson) in 1980 [14].
      2. Efficiency. Most system methods try to detect any known attack. It leads to a number of unsatisfactory consequences. For example, detection of anomalies needs resources. Any profile needs an update for each of the observed events. If you find abuse are commonly used shells of expert systems in which encoded signature. Shells of expert systems that code signatures are used when abuses are found. Very often, these shells are treated with their own set of rules and accordingly need resources. Moreover, the set of rules allows only indirect dependencies of events relationships sequence.
      3. Portability. Until now most of OWL are created for a particular purpose, and it is difficult to use them in another system, where you want to implement similar security policies. For example, the problem of moving of the OWL from the system, which supports only single-level access list, to the system with multilevel one is quite difficult and its solution will require substantial overpatching. The main reason is that many of OWL monitor certain devices, programs, specific OS. Also note that each operating system designed to perform specific tasks. Consequently, the moving of OWL to other operating system is difficult, except cases where the OS is developed with some general style.

      To be continued...

      ОтветитьУдалить
    5. roman kachinambyr31 марта 2010 г. в 10:39

      а что сегодня не будет проверки :( да.

      ОтветитьУдалить
    6. cybergluk31 марта 2010 г. в 11:14

      будет, но уже точно "сегодня" и это - не первоапрельская шутка. :)

      я лучше завтра-сегодня на занятие принесу проверенную работу.
      (А у Тоши лучше сразу полностью проверю)

      ОтветитьУдалить
    7. roman kachinambyr31 марта 2010 г. в 12:03

      Thank

      ОтветитьУдалить
    8. Mozhaev_Alexandr1 апреля 2010 г. в 08:15

      Disadvantages of existing detection systems.

      Disadvantages of modern detection systems can be divided into two groups - the

      disadvantages associated with the IDS structure, and disadvantages relating to

      implement the methods of detection.

      Disadvantages IDS structure.

      1.Absence of common design techniques. Partially it is possible to explain it by

      inadequacy of common agreements in terminology as IDS is the new enough direction

      based by the Anderson in 1980.
      2.Efficiency. Often system methods try to detect any clear attack that leads to a

      number of unsatisfactory consequences. For example, at detection of anomalies

      resources are essentially consumed – for any profile are required updatings for each of

      observed events. At abuse detection are ussualy used command interpreters of expert

      systems whereby signatures are coded. Very often these command interpreters process

      their own set of laws and also consume resources. Moreover, the set of laws allows only

      indirect dependences of event connection sequence.
      3.Portability. So far most IDS is created for use on the concrete equipment and hard

      enough to use them in other system where it is required to realise a similar security

      policy. For example, the task on moving of IDS from system supporting only the

      single-level access list, to system with the multilevel access list is difficult enough, and

      for its solution will require considerable completions. The main reason is that many IDS

      monitors for certain devices, programs of concrete OS. Also it is necessary to notice that

      each OS is developed for performance of concrete tasks. Hence, to reorient IDS on other

      OS difficult enough, for an exception of those cases when OS are developed in any

      common style.
      4. Updating possibilities. It is very difficult to update existing systems by new detection

      technologies. The new subsystem should interect with all system, and sometimes it is

      impossible to provide universal interaction possibility.
      5.For installation of IDS very often are requared the additional skills essentially different

      from skills in the security area. For example, for updating of set of laws in abuse

      detection systems is required specialised knowledge of expert system.
      6.Productivity and auxiliary tests – is difficult for estimating productivity of IDS in actual

      practice. Moreover, there is no common set of laws for testing of IDS it could tell about

      expediency using of the given system in concrete conditions and to receive any

      quantitative data.
      7. Absence of good ways of testing.

      Disadvantages the detections methods:
      1. It is inadmissible high level of false operations and passes of attacks;
      2. Weak possibilities on detection of new attacks;
      3. Most of intrusions cannot be defined at the initial stages;
      4.Difficult, sometimes impossible, to identify the attacker, the attack purposes;
      6. It is impossible to define "old" attacks using new strategy;
      7.Complexity of intrusions detection in real time with demanded completeness in high-speed networks;
      8.Weak possibilities on automatic detection difficult координированных attacks;
      9.A considerable overload of systems in which function IDS, at work in real time;

      ОтветитьУдалить
    9. roman kachinambyr1 апреля 2010 г. в 08:27

      Этот комментарий был удален автором.

      ОтветитьУдалить
    10. roman kachinambyr1 апреля 2010 г. в 08:30

      это я ошибся:)

      ОтветитьУдалить
    11. roman kachinambyr1 апреля 2010 г. в 08:43

      Этот комментарий был удален автором.

      ОтветитьУдалить
    12. roman kachinambyr1 апреля 2010 г. в 08:46

      quantity-set
      Вы же как-то писали в комент моей работе, что писать set не верно? Или там другой случай был?(там вроде было "свод правил")
      И когда вообше правильно говорить quantity?
      или set?

      ОтветитьУдалить
    13. cybergluk1 апреля 2010 г. в 09:08

      Ага, вот кто виноват в этом изобилии комментов :)
      Рома, лучше, конечно, рассматривать конкретные случаи, а не "вообще" (надо будет глянуть Ваши работы и разобраться). Но в этом тексте автор пишет "множество", что принято переводить словом "set".
      "Quantity" - это "количество", то есть, "количество, некоторое число правил" звучит плохо.
      Спасибо за вопрос :)

      ОтветитьУдалить
    14. plastinin_viktor2 апреля 2010 г. в 10:08

      Disadvantages of existing detection system

      Disadvantages of modern detection systems can be divided into two groups - the disadvantages
      associated with the structure of IDS(the intrusion detection system), and disadvantages relating
      to implement the methods of detection.

      Disadvantages of IDS

      1.The common methodology is lack. It can be partially explained by the lack of general agreement
      in the terminology, as IDS - it is a new direction, based Anderson in 1980.

      2.Efficiency. Often system methods try to detect any clear attack that leads to a number of unsatisfactory
      consequences. For example, the system consumes substantially resources when detecting anomalies and any
      profile should be update for each of the observed events.If the abuse was found generally used command
      interpreter of expert systems in which encoded signature.Very often, these command interpreter of expert systems
      process their own set of rules and, accordingly, also consume resources.Thus, the set of rules allows only
      indirect depending on the sequence relationships between events.

      3.Portability. So far, most of IDS is created for using on special equipment, and it is difficult to use them
      in another system, where you want to implement similar security policies.For example, the problem of displacement
      of the IDS system, which supported only single-level access list, the system with multilevel quite complex, and
      its solution will require significant rework. The main reason is that many of IDS monitor certain devices, programs,
      specific OS. Also note that each operating system is being developed for specific tasks. Thus, the conversion of IDS
      to other operating systems is difficult, except in cases where the OS developed some general style.

      4.Support for updates. It is very difficult to upgrade existing systems with new technologies of detection.
      The new subsystem must interact with the whole system, and sometimes impossible to give universal compatibility.

      5.To install the IDS often require additional skills, significantly different from the skills in the area of security.
      For example, to update the set of rules in systems of detecting abuse requires specialized knowledge of an expert system.
      This can be said about the static measurement system anomaly detection.

      6.Performance and helper tests - it is difficult to assess the performance of IDS in the reality. Moreover, there is
      no common set of rules for testing the IDS on the basis of which one could say about the feasibility of using this
      system in specific situations and to obtain some quantitative indicators.

      7.Good ways to test is lack.

      Disadvantages of detection methods:

      1.unacceptably high rate of false positives and passes attacks;
      2.weak capacity to detect new attacks;
      3.Most intrusions can not be determined at the initial stages;
      4.Difficult, sometimes impossible, to identify the attacker, target of attack;
      5.Evaluation of accuracy and adequacy of performance are lack;
      6.impossible to define "old" attack using the new strategy;
      7.The complexity of intrusion detection in real time with the required fullness in high-speed networks;
      8.weak capacity for automatically detecting complex coordinated attacks;
      9.significant overloading systems where the function IDS, while working in real time;

      ОтветитьУдалить
    15. Балтаев Родион3 апреля 2010 г. в 07:18

      Disadvantages of existing systems of detection.
      Shortcomings of modern detection systems can be divided into two groups - the disadvantages linked to structure of OWL, and the disadvantages concerning to embodied detection techniques.
      Disadvantages of OWLS structures.
      1) Absence of the common design techniques. Partially it is possible to explain inadequacy of common agreements in terminology as OWLS is the new enough direction based by the Anderson (J.P. Anderson) in 1980.
      2) Efficiency. Often methods of system try to detect any clear attack that leads to a set of unsatisfactory consequences. For example, at detection of anomalies resources are essentially consumed-for any profile needs upgrades for each of observed events. At detection of abusings command interpreter of expert systems commonly used which help signatures are encoded. Very often these command interpreters process their own set of laws and, accordingly, also consume resources. Moreover, the set of rules allows only indirect dependencies of event connection sequence.
      3) Portability. So far most of OWL is created for use on specific equipment and hard enough to use them in other system where it is required to realise a similar security policy. For example, the task on moving of OWL from system in which the single-level list of access, the system with multilevel quite complex, and for its solution will require substantial overpatching. The main reason of it is that many OWL monitor of certain devices, programs of concrete OS. Also it is necessary to notice that each OS is developed for performance of specific targets. Therefore, to reorient OWLS on other OS difficult enough, except in cases where the OS developed some general style.
      4) Possibilities of upgrade. It is very difficult to upgrade existing systems new technologies of detection. The new subsystem must interact with the entire system, and sometimes impossible to provide universal possibility of interaction.
      5) For installation of OWLS often require additional skills, essentially different from skills in the field of security. For example, for upgrade of rules set in systems of detection of abuse requires specialized knowledge of an expert system. Similar it is possible to tell and about static measurements of system of anomalies detection.
      6) Productivity and auxiliary tests is difficult for estimating productivity of OWL in actual practice. Moreover, there is no common set corrected for testing of OWLS on which basis it was possible to tell about expediency of usage of the given system in concrete conditions and to receive any quantity indicators.
      7) Lack of good ways to test.
      Disadvantages of detection methods:
      1) Unacceptably high rate of false positives and omissions attacks;
      2) Weak possibilities on detection of new attacks;
      3) Most intrusions cannot be determined at the initial stages;
      4) Difficultly, sometimes it is impossible, to define attacking, the attack purposes;
      5) lack of an evaluation of accuracy and adequacy of performance;
      6) Impossible to define "old" attack using the new strategy;
      7) The complexity of intrusion detection in real time with the desired fullness in high-speed networks;
      8) Weak possibility for automatic detection of complex coordinated attacks;
      9) Considerable overload of systems in which function OWL, by operation in real time;

      ОтветитьУдалить
    16. Unknown5 апреля 2010 г. в 05:10

      4. Update possibility. It is very difficult to upgrade existing systems with new detection technologies. The new subsystem must interact with the entire system, and sometimes impossible to provide universal interoperability.
      5. Installation of the OWL often requires additional skills, which are significantly different from the security skills. For example, to update the set of rules in abuse detection system you need specialized knowledge of an expert system. This can be said about the static measurement of anomaly detection system.
      6. Performance and additional tests. It is difficult to evaluate the performance of OWL IRL. Moreover, there is no common set of rules for OWL testing which can say about the feasibility of using this system in specific contexts and to obtain some quantitative indicators.
      7. Lack of good ways to test.

      Disadvantages of detection methods:

      1. unacceptably high rate of false actuation and attacks omissions;
      2. Low capacity of new attacks detection;
      3. Most intrusions can not be determined at the initial stages;
      4. It's difficult, sometimes impossible, to identify the attacker, target of attack;
      5. Lack of an evaluation of accuracy and adequacy of results;
      6. Impossibility to define "old" attack using the new strategy;
      7. the complexity of intrusion detection in real time with the desired fullness in high-speed networks;
      8. Low capacity of automatic detection of complex coordinated attacks;
      9.Significant overloading of systems in which the OWL is working in real time;

      ОтветитьУдалить
    17. Unknown5 апреля 2010 г. в 06:18

      Disadvantages of detection existing systems

      Disadvantages of detection modern systems can be divided into groups – the disadvantages connected with structure of PSB, and the disadvantages concerning realised methods of detection.

      Disadvantages of structures in PSB.

      Absence of the general methodology of construction. Particulary it is lacks of the general agreements in terminology, because PSB is the new direction based by the Anderson (J.P. Anderson) in 1980.
      Efficiency. Often methods of system try to find out any clear attack that leads to a number of bad consequences. For example, if anomalies are detected resources are essentially consumed – for any profile updatings for each of observable events are required. At detection of abusings ulually signatures are coded with help of expert systems. Very often these command interpreters process own many rules and consume resources. Moreover, the many rules resolves only undirect dependences sequences of communications between events.
      Portability. So far many PSB is created for use on the concrete hardware and it is difficult enough to use inother system with a similar security policy. For example, the problem on moving of PSB from system in which the single-level list of access, to system from the multilevel access is hard enougth and substantial overpatching is required. A principal cause is that many PSB observe of certain devices, programs of concrete OS. Also it is necessary that each OS is developed for specific targets. Then, to reorient PSB on other OS hard enough, an except of cases when OS are developed in any general style.
      Updating possibilities. It is very hard to update existing systems by new technologies of detection. The new subsystem should co-operate with all system, and at times it's impossible to provide universal possibility of co-operation.
      For installation of PSB the additional skills very often are required. For example, for updating many rules in systems of detection of abusings specialised knowledge of expert system is required. Similar it is possible to tell about static measurements of system of detection of anomalies.
      Productivity and auxiliary tests – is hard for estimating productivity of PSB in real life. Moreover, there is no general set corrected for testing of PSB on which basis it was possible to tell about expediency of use of the given system in concrete conditions and to get quantity indicators.
      Nothing of good ways of testing.
      Disadvantages of methods of detection:

      unacceptably high rate of false positives and omissions attacks;
      weak capacity to detect new attacks;
      most intrusions can not be determined at the initial stages;
      difficult or impossible to identify the attacker and target of attack;
      nothing of accuracy and adequacy of performance;
      impossible to define "old" attack with the new strategy;
      hard of intrusion detection in real time with the desired fullness in high-speed networks;
      weak capacity for automatically detecting complex coordinated attacks;
      significant overloadfing systems where the function PSB, while working in real time;

      ОтветитьУдалить
    18. Unknown5 апреля 2010 г. в 06:45

      Disadvantages of existing detection systems.
      Disadvantages of existing detection systems can be divided on two groups – disadvantages associated with ADS structure and disadvantages concerned embodied detection techniques.
      disadvantages of ADS structure:
      1) Absence of the general design techniques. Partly it can be explained by inadequacy of common agreements in terminology, because ADS is new enough direction grounded by J.P. Anderson in 1980.
      2) Efficaciousness. System methods often tries to detect any clear attack, what leads to the list of unsatisfactory consequences. For example detection of anomalies consumes a lot of resources - any profile needs updating all of observed events. Abuse detection often uses command interpreter of expert systems, with help of witch signatures are encoded. Very often this command interpreter process their own set of laws and accordingly consumes resources. Moreover a lot of rules allows only indirect dependencies of event connection sequence.
      3) Portability. So far, majority of the ADS creates for usage on the concrete equipment and it is hard enough to use them on the other system with the similar security policy. For example moving the ADS from the one system which supports only single-level list of access into the system with multi-level list is hard enough and will require substantial additional work. Principal cause of this is that most ADS s observes the certain devices and programs of the concrete OS. Also it is necessary to notice that every OS is created to solve concrete tasks. Therefore, to reorient VDS to other OSs is hard enough except cases when OSs are created the similar way.
      4) Upgrade possibilities. It is very hard to upgrade exist systems new detection technologies. New subsystem must interact with all system and sometimes it is impossible to give universal compatibility .
      5) Installation of ADS very often demands some special skills, which are essentially differs from skills in security area. For example to upgrade many rules in abusing detection system you must have special knowledge about expert system. The same things can be said about static measurement of anomaly detection systems.
      6) Productivity and helper tests – it is hard to appreciate productivity of ADS in the real conditions. Moreover there is no general set of rules to test ADS, on which basis you can say something about expediency of usage concrete system In the concrete conditions and get some quantity indicators.
      Lacks of detection systems
      1) inadmissible high level of malfunctioning and skipping of attacks;
      2) Weak possibilities of detection of new attacks
      3) Most of intrusions can’t be defined at the initial stages
      4) It is hard or sometime impossible to identify the attacker and targets of the attack
      5) Lack of an evaluation of accuracy and adequacy of results
      6) It is impossible to define old attacks, which use new strategies
      7) he complexity of intrusion detection in real time with the desired fullness in high-speed
      networks
      8) Low capacity of automatic detection of complex coordinated attacks

      9) Significant overloading of systems in which the OWL is working in real time

      ОтветитьУдалить
    19. roman kachinambyr5 апреля 2010 г. в 10:59

      А у нас в зачётке не просталенн устный пересказ по отказ в обслуживании .
      На сколько я помню там стоит пересказ который мы делали на паре , а домашнего нет.
      Вроде так и есть.

      ОтветитьУдалить
    20. Unknown5 апреля 2010 г. в 13:45

      Defects of existing detection systems


      We can divide the defects of modern detection systems on two groups. The first group is defects of OWL structure and defects of realized detection methods.

      Defects of OWL structure:
      1. There is no common design techniques. It can be partially explained as inadequacy of common agreements in terminology as СОВ is a new direction created by Anderson in 1980.
      of
      2. Efficaciousness. Usually system methods try to detect any known attack and that case causes lots of bad effects. For example in case of anomaly the use of resources is sufficiently great because each profile needs updates for all observed events. If abuse detection occurs it is command interpreters of expert systems which can be used for signatures encoding. Usually that interpreters process their own set of laws and consume resources sufficently. Moreover the set of laws allows indirect dependencies of event connection sequence only.

      3.Portability. Heretofore the majority of OWLs is created for concrete equipment and it is enough difficult to use them in other system where similar security policy is needed. For example the task of OWL moving from the system with one access level only to the multilevel system is difficult and needs substantial overpatching for successful solving. The main reason is OWL observation of concrete devices and concrete OS programms. Also each OS is being developed for concrete task executing. So, OWL transfering from one OS to another is enough difficult. The exeption is case of one same style of OS developing.

      4. Update pocibilities. The renewal from existing systems to new detection technologies is very difficult task. New subsystem should interact with the whole system and usually we can't provide universal pocibility of interaction.

      5. OWL installing needs additional skills not assosiated with computer security. For example,updating the set of rules in abuse detection systems require specialized knowledges of expert system. Static measuring of anomaly detection systems is the same thing.

      6. Performance and additional tests. It's difficult to estimate the OWL performance in real life. Moreover, the common set of rules for OWL testing is absent. Basing on this set of rules we can tell about the sense of that system using in concrete terms and get some quantitative measures.

      7. Absence of good testing methods.


      Disadvantages of detection methods:

      1. inadmissibly high level of misoperations and attack skiping;
      2. low pocibilities ofnew attacks detection
      3. the majority of intrusions can't be defined on first levels
      4. it's difficult or sometimes impossible to define attacker and the object of attack.
      5. absence of precision criterias and results of work adequacy
      6. it's impossible to define old attacks with new strategies
      7. complicacy of intrusion detection in real time with required fullness in highspeed networks
      8. poor pocibilities of automatic detection of complicate concerted attacks.
      9. in case of real time working substantial system with OWL overload occurs.

      ОтветитьУдалить
    21. cybergluk5 апреля 2010 г. в 19:09

      Да, это мой глюк :(
      Сейчас исправлю, спасибо, Рома!!!

      ОтветитьУдалить
    22. Unknown6 мая 2010 г. в 23:12

      Disadvantages of modern detection systems can be divided into two groups - the disadvantages associated with the structure of OWL, and deficiencies relating embodied detection techniques.

      Disadvantages structures OWL.

      1. Lack of a common design techniques. It can be partially explained by the lack of general agreement in the terminology, as OWL - it is a new direction, based Anderson (JP Anderson) in 1980.
      2. Efficaciousness. Most methods of trying to detect any clear attack that leads to a number of unsatisfactory consequences. For example, when detecting anomalies substantially consumed resources - for any profile needed an update for each of the observed events. If you find abuse are commonly used shells of expert systems by which encoded signature. Very often, these shells is treated with its own set of rules and, accordingly, also consume resources. Moreover, the set of rules allows only indirect depending on the sequence relationships between events.
      3. Portability. Until now, most of OWL is created for a particular purpose, and it is difficult to use them in another system, where you want to implement similar security policies. For example, the problem of displacement of the OWL system, which supported only single-level access list, the system with multilevel quite complex, and its solution will require substantial revision. The main reason is that many of OWL monitor certain devices, programs, specific OS. Also note that each operating system is being developed for specific tasks. Consequently, the shift of OWL to other operating systems is difficult, except in cases where the OS developed some general style.
      4. Features updates. Very difficult to upgrade existing systems with new technologies of detection. The new subsystem must interact with the entire system, and sometimes impossible to provide universal interoperability.
      5. To install the OWL often require additional skills, significantly different from the skills in the field of security. For example, to update the set of rules in detecting abuse requires specialized knowledge of an expert system. This can be said about the static measurement system anomaly detection.
      6. Performance tests and support - it is difficult to assess the performance of OWL in the wild. Moreover, there is no common set of rules for testing the OWL on the basis of which one could say about the feasibility of using this system in specific contexts and to obtain some quantitative indicators.
      7. Lack of good ways to test.

      Disadvantages of detection methods:

      1. unacceptably high rate of false positives and omissions attacks;
      2. weak capacity to detect new attacks;
      3. Most intrusions can not be determined at the initial stages;
      4. difficult, sometimes impossible, to identify the attacker, target of attack;
      5. lack of an evaluation of accuracy and adequacy of performance;
      6. impossible to define "old" attack using the new strategy;
      7. the complexity of intrusion detection in real time with the desired fullness in high-speed networks;
      8. weak capacity for automatically detecting complex coordinated attacks;
      9. significant overloading systems where the function OWL, while working in real time;

      ОтветитьУдалить

    Подписаться на: Комментарии к сообщению (Atom)