|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: IDS: ids project help needed
Subject: Re: IDS: ids project help needed
From: Marcus J. Ranum (mjr
nfr.net)
Date: Fri Jan 21 2000 - 08:59:15 CST
- Next message: Duke Imaizumi: "IDS: Re: If Tripwire could detect ..........."
- Previous message: Daniel Groth: "IDS: Graph base IDS"
- In reply to: John S Flowers: "Re: IDS: ids project help needed"
- Next in thread: Matt Miller: "Re: IDS: ids project help needed"
- Reply: Marcus J. Ranum: "Re: IDS: ids project help needed"
- Reply: Matt Miller: "Re: IDS: ids project help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------
--->AFAIK, all neural network implementations are severly flawed and can be >tricked into being trained to accept malicious traffic as normal.
It's not just that - the other problem with neural nets (and perhaps _all_ the "AI" approaches to ID) is that they can't tell you why they generated an alarm. Imagine if your IDS wakes you at 4:00AM, "something is not right." But it can't tell you the reasoning behind it. Because that information is lost when the neural net is built!
You can somewhat get around this problem by narrowing the focus of the problem space the neural network deals with. Let's say you train the neural net to look at the number of SYN packets to FIN packets and ACK packets on a segment. Now, if it generates an alarm, you know it has something to do with SYN/FIN/ACK ratios but you still don't know what they _mean_. By the time you finish narrowing down the focus of your "AI" systems, what you really have done is built a misuse detection system. Take the previous example: suppose you train the neural net to look at the ratio of SYN/FIN/ACK because you know those are important and there are vulnerabilities there. Your system will not detect previously undiscovered vulnerabilities having to do with ratios of SYN packets to source quenches. Unless you build another detector for that, ad nauseam.
In short, unless we have a working Artificial Intelligence, we're going to have a problem with ID systems that are not misuse detection. That problem is simply that even if the ID system detects something, it will be unable to assign meaning to it. That requires human creative thinking, at present.
mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
- Next message: Duke Imaizumi: "IDS: Re: If Tripwire could detect ..........."
- Previous message: Daniel Groth: "IDS: Graph base IDS"
- In reply to: John S Flowers: "Re: IDS: ids project help needed"
- Next in thread: Matt Miller: "Re: IDS: ids project help needed"
- Reply: Marcus J. Ranum: "Re: IDS: ids project help needed"
- Reply: Matt Miller: "Re: IDS: ids project help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Jan 21 2000 - 22:48:31 CST