Re: deploying honeypots...

[Valdis.Kletnieks () vt edu]

On Mon, 22 Aug 2005 15:03:04 +0200, Damiano Bolzoni said:
> cyb3rh3b () kecoak or id wrote:
>
> > neural network will take an action needed from traffic it read and decide i
f
> > those new traffic is dangerous to system, if so then it will disconnect the
> > connection (well...it's one of the action will be taken).
>
> Well, I think that you're going to re-connect your system often :)
> IMHO, using only neural network to detect intrusion (that's it, you want
> to recognize an intrusion attempt) will detect frequently false positive
> events. Maybe this situation doesn't matter for you.

The part I was wondering about was what he was planning to use as a learning
function - neural networks only make sense if you have feedback telling it if
the previous decision was correct or not.

Also, looking at some random packet, you really can't judge if it's legitimate
traffic or not unless you have some understanding of the protocol.  Now
imagine: You train the neural net by feeding it 5 million random web pages that
contain javascript, and for each page you only give it a hint "Hinky" or "Not
Hinky". Although you can get pretty fast convergence for computer vision if
it's being told "cube", "sphere", or "torus", it's going to take a *long* time
for that net to learn which %90%90 encodings and document.foo references are
hinky and which are legitimate.

And *how* do you recognize a buffer overflow when the protocol spec says some
given ascii string can be 1024 bytes long, the programmer only provides 256
bytes of buffer, and the attacker has crafted an all-ascii exploit string?

Not that it's *impossible* for it to work - but I see some basic innate
difficulties in this approach.

Attachment: _bin
Description: