Re: New firewall paradigms, anyone ?

[Aleph One <aleph1 () dfw net>]

On Sat, 29 Nov 1997, Darren Reed wrote:

> Hmmm, how about a neural net firewall ?
>
> Before deployment and after a customer has asked for a model, you plug it in
> and run it though all the types of data flows it should expect to see and
> allow through.  This should allow it to build up a pretty good knowledge
> base, so that when it sees something out of the ordinary, it flags it and/or
> drops it.
>
> I'm not sure how much real teaching would be involved or weighting of strange
> things would help.  For example, if it has looked at lots of http headers,
> it'll know that they usually don't have any IP header options or urgent TCP
> data, so ones which do are "out of the ordinary".  Conversely, if you were
> running something like the old multicast distribution which used source
> routing, it would have seen lots of packets with source routing options
> in place and but expect them to match its multicast model.
>
> and on I could go, just yapping about more stuff on how it would work with
> a neural net.  The key part is the "training" but then, how do you add a
> new protocol ?  Send it back to be retrained ?  Costly, but how effective ?

They hard part is selecting WHAT to train them on and HOW those parts
relate. The problem is, as always, determining what to look for. A neural
net, or statistical analysis, will help you determine what is "normal"
behavior and what is "not", but you still need to tell it what its inputs
are. But there are just to many things to watch for in all the layers of
protocols to make the problem of training such a system untracable unless
you have an expert (person or system) to reduce the number of possible
permutations.

Personally I find the next level IDS should be a system possibly written
in a symbolic language that models the state of the network at each
protocol level and attempts to detect attacks by using a mix of export
systems, statistical analysis and, maybe, neural networks. It would also
act as a distributed system communicating with other IDS systems such as
itself running on host computers and routers within the same domain,
comparating their results and sharing information.

The are some rather large issues to deal with before such as system can be
built. The system would require huge amounts of memory and CPU power. One
should attemp to design the system with data reduction in mind but also
remember that memory and cycles are cheapers everyday. Design for
tomorrow, not today. As with any such a system a big issue, is building
the expert system, but at least this area is not really that difficult
just tedious. Trying to recognize new attacks will always be the funnest
part. But if the Wheelgroup's report showed us anything is that you can
leverage the statistical information recorded from a large set of system
to poinpoint new attack trends and isolate them for further study, you can
then go back and fine tune your system.

> Darren

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01