Transcript ppt

Defense Questions
• # of correlated attacks: under-estimated or
over-estimated?
• Conservative estimation
– Average across all the three dataset? Dataset w/ 40
IDSs hard to see correlated attacks !
• Over estimation
– How are the IDS deployed? For DShield data, 1657
IDSs in less than 1657 class C networks ! Multiple
IDSs from the same network ?
Defense Questions II
• Time between correlated attacks. Isn’t 10 min
the threshold for defining DoS attacks?
• Definition on correlated attacks: same src IP +
interval < 10 mins.
– How about DoS attacks w/ spoofed IP? Why is there
no difference in Fig. 9?
– Hard to send spoofed packets nowadays ?
» Egress filters enabled by ISP
– The attack type distribution info will be helpful.
Defense Questions III
• Persistent correlated IDSs, but attackers
keep changing !
• How to get the target list in advance ? Shared
with different attackers !
Defense Questions IV
• How effective is the CBC ? Attackers can
fool this by periodically changing the attack
group.
• Can be effective for host-based IDS, but
hard to apply for router/gateway based IDS
b/c there are various types of services in the
network monitored by the IDS
– It ends up in every group !