Detection Talking Points

It is the inherent nature of a signature-based system to tell you specifically what attack was used, since signature-based systems only know about specific attacks (I do understand the generalization I am making with this statement). This attribute of signature-based detection cuts both ways given that it is clearly useful for figuring out what to patch, upgrade, or re-configure, but also clearly limits the detection range. Anomaly detection has a diametrical trade-off--extended range of detection but without the granularity of attack/vulnerability classification. We need to extend the range of problem classification that anomaly-based systems can provide in order to increase the actionable value of the detections.

There are two ways I see to do classification of anomalies: classify by trying to match the attributes of the anomaly to root causes or classify the anomaly based on the likely severity of the associated attack. Picking which one is entirely dependent on your goals. You would want to do the former if the system is only doing detection, because ultimately a human needs to fix the problem and needs the appropriate information to do so. You would want to do the later, classify based on severity, if the system is going to respond, since I think we all understand that we need to meter automated response in a fairly precise manner, and a good severity classification helps determine a measured response. Automated responders do not care if that attack is the Blah-Blah RPC buffer overflow--but they should care that the attack appears successful given the open network connection to a foreign network and program flow appears to have been redirected to writeable memory.