Working on a global intrusion detection system today, four years after Gartner incorrectly predicted they would no longer be relevant , presents a number of challenges. Most notably, creating an accurate signature for an attack, let alone an attacker, can be a very sophisticated and delicate process that requires non-trivial amounts of intelligent (i.e. human) intervention.
I recently spent the better part of a day discussing this with Marty Roesch of Sourcefire/Snort fame. He really gets it.
However, rather than bring up the individual vendors and their issues directly (IDS mud-slinging is so 2003), I would like to put forward an example of a similar practice — tracking graffiti by signature analysis:
“In addition to having a dramatic impact on graffiti, it will have an impact on tracking gangs. I’m excited about it.”
– Los Angeles County Supervisor, Don Knabe
“It’s a way to focus in on those vandals who really are creating a big problem through multiple acts over long periods of time that we haven’t been able to get at, because at best, we only get him on one count.”
– City of Paramount, City Manager Linda Benedetti-Leal
“We are able to track all of the graffiti and specifically the individual taggers, and identify where they were putting up their graffiti”
– Capt. Todd Rogers of the Los Angeles County Sheriff’s Office, Carson Station
Yes, all of those graffiti-crazed taggers are to be identified by their signatures. Clever approach. Who would have thought you could use painted signatures, or “tags”, to identify people? Yes, I’m being sarcastic.
Now they can be charged with many more incidents than just the one where they are caught in the act. Or in other words, now police can read tags and identify the source, just like the people who write them. Or are the police hoping to prove (e.g. nonrepudiation) the source of a tag? Technology always has that mystical charm, no?
Notable problems with this, let alone the controversy over fingerprint analysis, can be found in the history of other signature analysis:
An example of a paradigm shift in the handwriting world occurred when the writing instrument of choice changed from a nibbed pen (such as a fountain pen) to the ballpoint pen in 1945. Because the ballpoint pen uses highly viscous ink and a non-flexing tip, it produces a writing line with little or no shading (stress) . Forensic document examiners in the late 1940’s had to adapt their analysis techniques in order to account for the loss of this traditionally important data.
Do different paint cans make an impact on the tag comparison? What about a switch between paint and marker? What about someone tagging over another person’s tag — layers of graffiti or defaced signatures?
More interesting, perhaps, is the case of forgeries. How will a graffiti tracker handle one gang trying to frame another gang? Will individuals forge others’ tags to get them taken off the street, and then simply use randomness (e.g. enlist a group to each paint the same message with their own style) to avoid capture?
The more traditional signature analysis experts raise another issue:
Because of the pattern of fluctuations found in a normal signature, any digital signature that is fraudulently captured or stolen can only be used once. The second usage of a “stolen” signature would prove it is non-genuine since it would be an exact (or near-exact) match to a signature used for an earlier transaction. This is in direct contrast to a stolen fingerprint file which would be expected to be exactly the same on each transaction.
What then with a graffiti perpetrator using a template? If a spray-paint tag is actually exactly the same because it is based on a fixed image, what will the graffiti tracker do to detect the source of the image?
Attack detection is not just about picking a stereotype, or a simple image of a “bad” actor and going on in life. Detection continues as a security practice, far more than prevention, because it is based on intelligent and adaptive practices that tries to make sense of constantly changing patterns to provide measurable results. The testimonials above are hopeful about the future because they have an optimists’ view of detection — the new silver bullet — leading to prevention. In reality, the detection will be complex and require ongoing intelligence for oversight.
The technology available for signature analysis is still only as capable as the people who manage it. None of these detection systems make any sense as prevention investments without humans, or until artificial intelligence is relevant.
Gartner was foolish to confuse the technology so badly — the skills needed by a cop to arrest a felon are entirely different than those for an investigator who needs to solve a crime. On the other hand, it is important to acknowledge the fact that the author of the Gartner report (Rich Stiennon) now works for a company that sells all-in-one (e.g. confused, complex, and master-of-none, or silver-bullet) security boxes.