In a world of encrypted traffic, where is the NIDS ?
Last Sunday, I read a fascinating paper by Charles Wright on how to deduct the language spoken in a phone conversation of which only encrypted VoIP (Voice-over-IP) traffic can be observed. The paper presents a couple of funny conclusions, like the result that "Hungarian has false positives on speakers of Arabic, Czech, Spanish, Swahili, Tamil, and Vietnamese" - all languages which not even share a common root but seem to "look similar" in an encrypted stream. But what really made me think is whether this form of analysis is all that will be left for a NIDS (network IDS) to do, once everything on the Network is wrapped in to SSL or encrypted otherwise. It sounds as if we'll soon be back to reading the application and security logs on the various servers themselves, because that's where the "observable" portion of an attack is. Of course "reading logs" nowadays is called "host based intrusion detection with event correlation", but basically it still is: checking the logs. Another area of the security profession that just seems to be destined to circle back to its early years...
Comments