Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's a decent case for using anomaly detection in an attempt to solve some zero day attacks. The idea of not knowing what you don't know, can be used in such scenarios. I 'know' what looks right, and I won't allow for anything that doesn't look right. That doesn't solve all problems, but can certainly cut down on a large amount of them.

What I did see a lot of though in a lot of the case studies/readings/etc, was seemingly anytime advancements were made in one area, closing off particular patterns or styles of exploitation. The energy and resources often would switch to another domain, and there's a mad scramble to solve it.

Just my two-cents, and a bit off topic.



> I 'know' what looks right, and I won't allow for anything that doesn't look right.

The way I view it, it's sort of like when a player glitches themselves outside of the boundaries of the level in a video game and are able to bypass all the battles the game has in store for them and walk directly to the objective. Anomaly detection only works if they are playing inside the realm of the system but if something manages to break out of the sandbox then detection can be bypassed because it was never a condition thought possible and therefore not checked for.

For Example, you can have code to detect abnormal requests http requests, but if there is a vulnerability in a webserver's memory management of reading bytes from a socket then it allows the attacker to "breakout" of the system before you can detect it. Now you might be saying well we can detect when they breach memory but it just creates another cat and mouse game at a different level. This all assumes there are no bugs in the anomaly detection systems themselves




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: