[Discussion] Brainstorming Session Notes

Matt Jonkman jonkman at jonkmans.com
Mon Nov 17 15:59:32 UTC 2008


As most of you know we had our first brainstorming session in Vienna at
Deepsec last friday. The conference was a great success. Highly
recommend catching it next year.

We had a great turnout for the session. We unfortunately ran long by
choice into lunch and still kept most of the crowd. That was an
encouraging sign! (Sorry to those that ate lunch late :) )

Discussion was very positive. We learned a few things about how to
present this next time, the primary being to get right to the discussion
as there will be a lot of it!

We had a lot of discussion about IP Reputation. That is a very high
priority for most attendees, but a number of pitfalls (statistical
issues) were pointed out. While this is a simple concept overall, the
implementation will have to be studied well. Stefano from U of Milan
made the astute point that a continuous negative feedback is
counterproductive. For example if an IP is blocked by one site, then
that info relayed to another site where the same IP is blocked only by
reputation, we have to make sure that second block isn't reported into
the IPs reputation thus reducing the reputation of the IP without it
actually doing something bad. The reputation info fed back should be
based ONLY on attacks and not replicated blocks.

A lot of discussion went toward getting away from 100% signature based
detection. We definitely need to focus research there. IP Reputation can
feed into this, but we need to get some significant statistical
minds/research on board to look deeper into anomaly detection. Basic
signature detection + ip reputation + statistical anomaly detection I
think will go a very long way here. Does anyone know of some good
statistical modeling papers or researchers? DSpam was mentioned as a
model to consider.

Also brought up was considering preprocessors or some other process that
can do decoding. Mime, gzip, zlib, PE unpacking, etc. That'd definitely
be too slow to do inline, but if it were handed off to a spare thread
and that result used for IP reputation or stream reputation it could be
of great use.

Data flow collection was mentioned. I guess the best way to summarize
would be to be able to output netflow style data. Not too detailed, but
something that other tools could use.

And finally, we were reminded we should keep virtualization in mind.
Specifically making sure we test under load in common virtual
environments as it's likely in the next few years that sensors
themselves may be vmware virtual boxes. So capture support and full
utilization of cpu's will be critical.

In summary, it was a great session. We're working on getting the next
scheduled, hope to see you there!!

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list