Hi Gautam: My general feeling towards the reputation system is "It is not a security mechanism" and it should be proven either by me or by someone else in more formal words/way. now let us take the scenario that you posed. each email has a reputaion value associated with it (magically!!) and IDS should scan it based on its reputaion value (in this way, we are anyway defeating the very purpose of having IDS). First thing is " what are parameters to be used in calculating reputaion?" Another thing is: You must be knowing that a virus/worm spread quite randomly (loosly speaking) and many emails infacted by a new virus will be having high reputaion values and therefore, bypass the IDS ( a case of false negative). Let me know if you are not convinced or I have missed something in your views. -sanjay
On Tue, Nov 25, 2008 at 12:14 AM, Gautam Singaraju <[EMAIL PROTECTED]> wrote: > Sanjay, > > FYI: > http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1271716,00.html > > --- > Gautam > > > > On Mon, Nov 24, 2008 at 1:24 PM, Gautam Singaraju > <[EMAIL PROTECTED]> wrote: >> Hi Sanjay, >> >> I have a hearsay that some commercial products are in fact attempting >> this. I understand that inputs from IDSs are being used to 'refine' >> email reputation and vice-versa; though I have not seen any numbers >> that attempt these. >> >> The idea is that: IDSs can monitor connections from those senders >> closely depending on the reputation (reputation 80 to 100: basic >> checks; 50-80 moderate checks; less than 50 extensive checks). The >> number of classes and boundaries could be variable. In comparison, >> blacklist is just "good/bad". >> >> I want to test this theory that email reputation could be useful in >> more mechanisms that just classifying emails. >> --- >> Gautam >> >> >> >> On Mon, Nov 24, 2008 at 1:10 PM, Sanjay R <[EMAIL PROTECTED]> wrote: >>> Hi Gautam, >>> Can you please mention those references that have tried to incorporate >>> email reputation systems into an IDS? To me, it appears that this type >>> of solutions are more close to creating a "black-list" rather than >>> core functionality of IDS i.e detecting an attack (malicious >>> activities). >>> >>> -sanjay >>> >>> On Sun, Nov 23, 2008 at 6:51 AM, Gautam Singaraju >>> <[EMAIL PROTECTED]> wrote: >>>> All, >>>> >>>> I have been working in email reputation system that has computed >>>> sender reputations for over an year. I believe that there are couple >>>> of efforts to incorporate email reputations into IDSs. Is someone in >>>> the group working on this? Are there any IDSs which can be configured >>>> to perform extensive analysis for non-reputable senders? I would be >>>> interested in sharing this data with other researchers in the group. >>>> >>>> --- >>>> Gautam >>>> >>>> ------------------------------------------------------------------------ >>>> Test Your IDS >>>> >>>> Is your IDS deployed correctly? >>>> Find out quickly and easily by testing it >>>> with real-world attacks from CORE IMPACT. >>>> Go to >>>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw >>>> to learn more. >>>> ------------------------------------------------------------------------ >>>> >>>> >>> >>> >>> >>> -- >>> Computer Security Learner >>> >> > -- Computer Security Learner ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
