Misuse detection

Misuse detection looks for specific, identifiable attacks

• Expert knowledge
  • rules-based ``attack signatures'' == grep

• Example systems
  • ISS RealSecure, NAI CyberCop, NSW Dragon

• Problems
  • cannot detect novel attacks - so IDS vendors now hire hackers (ISS X-Force, Axent SWAT, etc.)
  • extremely brittle in the face of mutating attacks or subterfuge [Pax98]