OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bawcom, Aaron (aaron_bawcomintrusion.com)
Date: Wed Jun 13 2001 - 22:59:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Archive: http://msgs.securepoint.com/ids
    FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
    FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
    IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
    HELP: Having problems... email questions to ids-owneruow.edu.au
    NOTE: Remove this section from reply msgs otherwise the msg will bounce.
    SPAM: DO NOT send unsolicted mail to this list.
    UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
    -----------------------------------------------------------------------------
    When an AIM-9J Sidewinder leaves an F-15, the plane does not decide to
    launch the missile, the fighter pilot does. Information systems will
    continue to augment human choices. Like when Sigourney Weaver uses that big
    mechanical heavy lift body machine to fight the Queen in Aliens 2, so will
    information security tools enhance & empower the decision making
    capabilities of the human mind. Algorithms will make more and more "leaf"
    decisions which will continue to build on each other. There has been some
    fantastic research on the subject of tiered statistical analysis systems
    where different algorithms build on each others strengths. For example:
    immediate chaotic data is grouped into peaks using fuzzy logic. The peaks
    are then parameterized into a neural network to distinguish categories. The
    categorical information is then applied to case based reasoning models which
    then identify extremely high level patterns of behavior based on empirical
    example. All of these smaller decisions are controlled by highly informed
    master choices that are exposed to the user in the most comfortable way
    possible.

    "If an army of graduate students can do it, then Microsoft can do it"

    -----Original Message-----
    From: Kohlenberg, Toby [mailto:toby.kohlenbergintel.com]
    Sent: Wednesday, June 13, 2001 9:25 AM
    To: 'Marcus J. Ranum'; Kohlenberg, Toby; 'Steve Robinson';
    Peter.Watsonsunlife.com; idsuow.edu.au
    Subject: RE: IDS: RE: RE: IDS Future

    Archive: http://msgs.securepoint.com/ids
    FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
    FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
    IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
    HELP: Having problems... email questions to ids-owneruow.edu.au
    NOTE: Remove this section from reply msgs otherwise the msg will bounce.
    SPAM: DO NOT send unsolicted mail to this list.
    UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
    ----------------------------------------------------------------------------
    -
    Good explanation, thank you!

    Is it fair to say you don't think it is possible to duplicate the
    anomaly detection capabilities of the analyst, and therefore the
    improvements must be in making the information more available to
    the analyst?
    I can certainly see that, it is the approach I see as having the most
    value today, definately. I think that puts a different twist on the
    question that was asked-
    What do people think is needed/lacking in the analyst console?
    And, a second question-
    Do people believe that further development will make is more feasible
    to have an IDS be effectively monitored by someone who is not a
    skilled analyst?

    Toby

    > -----Original Message-----
    > From: Marcus J. Ranum [mailto:mjrnfr.com]
    > Sent: Tuesday, June 12, 2001 11:09 PM
    > To: Kohlenberg, Toby; 'Steve Robinson'; Peter.Watsonsunlife.com;
    > idsuow.edu.au
    > Subject: Re: IDS: RE: RE: IDS Future
    >
    >
    > Kohlenberg, Toby wrote:
    > >would like to see some
    > >serious attempts at "artificial intelligence"/neural net-type
    > >monitoring of events
    >
    > There _have_ been serious attempts. Lots of serious attempts!
    > Just because they haven't exactly worked, doesn't mean that
    > they weren't serious. ;)
    >
    > Conceptually, there are some problems with the whole concept
    > of using neural net-type applications to do broad-based anomaly
    > detection. You can use them to do pattern detection in the small,
    > where you build small baselines relevant to a particular knowledge
    > bases. But in that case, what you're really building is an expert
    > system with statistical analysis at the leaves of your decision
    > tree - semi cool but not "artificial intelligence."
    > mjr.
    > ---
    > Marcus J. Ranum Chief Technology Officer, NFR Security Inc.
    > Work: http://www.nfr.com
    > Play: http://www.ranum.com
    >
    >