IDS mailing list archives
RE: Suggestions
From: "Drew Copley" <dcopley () eeye com>
Date: Thu, 27 May 2004 15:21:08 -0700
Attacks "never seen before" are, by definition, very difficult to know what to look for. Bayesian theorem type of predictive analysis would have a really difficult time trying to figure out not only what is not an attack, but what is an attack. (This kind of predictive analysis takes historical events and produces probabilities based on these historical events... which operates rather closely to how we "predict" "future events", which may be as simple as what to expect when we open our front door or when we push the gas pedal down on the car.) Predictive, statistical analysis is great stuff. But, ultimately, that is exactly what it is... so you have to consider a few things, like your set of data. Watching large corporate traffic would be a good set of data, if you wanted to know what should happen on large corporate traffic. Then, you might, conceivably, say... anything unusual or unknown could then be flagged. And you could hand train it from there. The problem is the hand training of what is normal corporate traffic versus what is abnormal and malicious corporate traffic. At this stage you are talking about the system requiring to make very low level essentially "moral" judgments. Training a system to make low level "moral" judgments would be extremely difficult. People can't even do this well. It is a mathematical issue, in my mind, but I do believe in absolutes defined in relative realms. For instance, someone transferring a file... a password file. That could be "bad" or that could be "good". Depends on who is transferring the file. Then we come back to our privilege based system of security, as we rightly model all of our security models. The problem is, what if the "who" transferring this file "is" the "administrator", but the "administrator" is not really the adminisitrator at all. Then you get down to access privilege systems. In other words, there are many components of the security model which must be in place in order for an AI system to even be able to make such judgments as to whether the traffic is "good" or "bad". Therefore, it will not really have any kind of set of data to train from... So, this brings you down to the conclusion that you have to first seperate proper behavior from improper behavior in a sure way to have the right data in the first place... which brings one, essentially, to the model of the modern honeypot. The honeypot, expecting to receive no legitimate traffic to a certain degree... is able to isolate this negative data and examine it. From this data set you can then build an AI model. Without it -- you have no proper data model... unless you want to train your system to operate like an ordinary corporate desktop. So, you have a honeypot... you have to have controls on the honeypot, watch points. This thinking would naturally lead one into the way of api hooking... an "api ips", we might say. You want to not only be able to hook potentially dangerous api calls... but to ensure the system remains stable and evidence is not lost -- this evidence being your very precious data set. In other words, you need heuristic - rather then signature based - protection on your honeypot. Then, you have the right data set from which to use AI analysis. Pretty simple when you get right down to it.
-----Original Message----- From: whitty reeve [mailto:whitty () reeve com] Sent: Wednesday, May 26, 2004 3:21 PM To: focus-ids () securityfocus com Subject: Re: Suggestions Hey, you're going to have to figure out some way of making this AI learn. I suggest a neural net, and when it learns something it connects neurons together. When something is learned, tested, fork that neuron set, and each time you have a new intrusion learned, it will have a much faster reaction time. The problem is, your system will have to connect the 'dots.' This means that atleast one system will have to be infected/intruded for it to know that something 'bad' happened, and want to prevent against it next time. I suppose this could be linked to a huge network, so when ever a computer is infected it uploads the new neuron set to some kind of data base, effectively making that kind of intrusion impossible on all machines running this software. On Tuesday 25 May 2004 12:10, Thiago dos Santos Guzella wrote:Hi there, I am taking part in a research project on artificialinteligence, and myobjective is to create a IDS (possibly hybrid), capable of detecting attacks never seeing before (by using some artificial inteligence algorithms). I would like to hear suggestions on whichaspects of networktrafiic should I focus on ... Thanks in advance.-------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Suggestions Thiago dos Santos Guzella (May 26)
- RE: Suggestions Rishi Pande (May 26)
- Re: Suggestions Stefano Zanero (May 26)
- Re: Suggestions whitty reeve (May 27)
- Re: Suggestions Clint Bodungen (May 28)
- Re: Suggestions Rishikesh Pande (May 31)
- <Possible follow-ups>
- RE: Suggestions (infor) urko zurutuza (May 28)
- RE: Suggestions Drew Copley (May 28)
- Re: Re: Suggestions Thiago dos Santos Guzella (May 29)
- Re: Suggestions Rishikesh Pande (May 31)