Firewall Wizards mailing list archives
Re: New firewall paradigms, anyone ?
From: Aleph One <aleph1 () dfw net>
Date: Mon, 1 Dec 1997 11:22:19 -0600 (CST)
On Sat, 29 Nov 1997, Darren Reed wrote:
Hmmm, how about a neural net firewall ? Before deployment and after a customer has asked for a model, you plug it in and run it though all the types of data flows it should expect to see and allow through. This should allow it to build up a pretty good knowledge base, so that when it sees something out of the ordinary, it flags it and/or drops it. I'm not sure how much real teaching would be involved or weighting of strange things would help. For example, if it has looked at lots of http headers, it'll know that they usually don't have any IP header options or urgent TCP data, so ones which do are "out of the ordinary". Conversely, if you were running something like the old multicast distribution which used source routing, it would have seen lots of packets with source routing options in place and but expect them to match its multicast model. and on I could go, just yapping about more stuff on how it would work with a neural net. The key part is the "training" but then, how do you add a new protocol ? Send it back to be retrained ? Costly, but how effective ?
They hard part is selecting WHAT to train them on and HOW those parts relate. The problem is, as always, determining what to look for. A neural net, or statistical analysis, will help you determine what is "normal" behavior and what is "not", but you still need to tell it what its inputs are. But there are just to many things to watch for in all the layers of protocols to make the problem of training such a system untracable unless you have an expert (person or system) to reduce the number of possible permutations. Personally I find the next level IDS should be a system possibly written in a symbolic language that models the state of the network at each protocol level and attempts to detect attacks by using a mix of export systems, statistical analysis and, maybe, neural networks. It would also act as a distributed system communicating with other IDS systems such as itself running on host computers and routers within the same domain, comparating their results and sharing information. The are some rather large issues to deal with before such as system can be built. The system would require huge amounts of memory and CPU power. One should attemp to design the system with data reduction in mind but also remember that memory and cycles are cheapers everyday. Design for tomorrow, not today. As with any such a system a big issue, is building the expert system, but at least this area is not really that difficult just tedious. Trying to recognize new attacks will always be the funnest part. But if the Wheelgroup's report showed us anything is that you can leverage the statistical information recorded from a large set of system to poinpoint new attack trends and isolate them for further study, you can then go back and fine tune your system.
Darren
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: New firewall paradigms, anyone ? Aleph One (Dec 01)