427 Botnet fm qxd

appears to test for exploits of which some bots seem particularly fond, such as
the following:
■
TCP/6129 (Dameware remote administration)
■
TCP/2745 (Bagle backdoor)
■
TCP/2967 (SYM06-010 Symantec Corporate Anti-Virus exploit)
■
445 (MS06-040 Server Service buffer overrun exploit)
The advantage of a generic or anomaly detection service is that it can
sometimes detect a new attack proactively, or at least as soon as it strikes.
However, it has a number of possible disadvantages compared to a threat-spe-
cific detection, such as known attack signatures:
■
An anomaly could simply be unanticipated rather than malicious.
■
Either way, the onus is on the operator to determine exactly what is
happening. Extensive resources could be diverted to resolving minor
issues, not to mention the risks of misdiagnosis through human error.
■
In many cases, anomaly detection is based on a compromise setting
for the threshold at which an anomaly is taken to be potentially mali-
cious. If the sensor is too sensitive, you could waste resources on
investigating breaches that turn out not to be breaches and that could
outweigh the value of the system as an intrusion control measure. If
the sensor is too relaxed about what it regards as acceptable, malicious
activity introduced gradually into the environment could evade
detection.
Systems that are based on recognizing known attack signatures are less
prone to seeing an attack where none exists (a false positive, or FP) —at least,
they are if they’re properly implemented. However, they are 
more
prone to
false negatives. In other words, if an attack signature isn’t in the signature
database, the attack won’t be recognized as such. In real life, though, this is less
likely to happen if the system uses such supplementary measures as generic
signatures or advanced heuristics; we’ll return to this topic in a moment,
when we come to consider virus detection as a close relative to HIDS.

Download 6,98 Mb.

Do'stlaringiz bilan baham: