RE: Suggestions

["Drew Copley" <dcopley () eeye com>]

Attacks "never seen before" are, by definition, very difficult to know
what to look for. Bayesian theorem type of predictive analysis would
have
a really difficult time trying to figure out not only what is not an
attack, but what is an attack. (This kind of predictive analysis takes
historical events and produces probabilities based on these historical
events... which operates rather closely to how we "predict" "future
events",
which may be as simple as what to expect when we open our front door or
when we push the gas pedal down on the car.)

Predictive, statistical analysis is great stuff. But, ultimately, that
is exactly what it is... so you have to consider a few things, like your
set of data. Watching large corporate traffic would be a good set of
data, if you wanted to know what should happen on large corporate
traffic. Then,
you might, conceivably, say... anything unusual or unknown could then
be flagged. And you could hand train it from there. The problem is the
hand training of what is normal corporate traffic versus what is
abnormal
and malicious corporate traffic. At this stage you are talking about
the system requiring to make very low level essentially "moral"
judgments.

Training a system to make low level "moral" judgments would be extremely
difficult. People can't even do this well. It is a mathematical issue,
in my mind, but I do believe in absolutes defined in relative realms.
For
instance, someone transferring a file... a password file. That could be
"bad" or that could be "good". Depends on who is transferring the file.
Then
we come back to our privilege based system of security, as we rightly
model all of our security models. The problem is, what if the "who"
transferring
this file "is" the "administrator", but the "administrator" is not
really
the adminisitrator at all. Then you get down to access privilege
systems.

In other words, there are many components of the security model which
must be in place in order for an AI system to even be able to make such
judgments as to whether the traffic is "good" or "bad". Therefore, it
will
not really have any kind of set of data to train from... 

So, this brings you down to the conclusion that you have to first
seperate
proper behavior from improper behavior in a sure way to have the right
data
in the first place... which brings one, essentially, to the model of the
modern honeypot.

The honeypot, expecting to receive no legitimate traffic to a certain
degree... is able to isolate this negative data and examine it. From
this
data set you can then build an AI model. Without it -- you have no
proper
data model... unless you want to train your system to operate like an
ordinary corporate desktop. 

So, you have a honeypot... you have to have controls on the honeypot,
watch points. This thinking would naturally lead one into the way of api
hooking... an "api ips", we might say. You want to not only be able to
hook potentially dangerous api calls... but to ensure the system remains
stable and evidence is not lost -- this evidence being your very
precious
data set.

In other words, you need heuristic - rather then signature based -
protection
on your honeypot. Then, you have the right data set from which to use
AI analysis.

Pretty simple when you get right down to it.

> -----Original Message-----
> From: whitty reeve [mailto:whitty () reeve com] 
> Sent: Wednesday, May 26, 2004 3:21 PM
> To: focus-ids () securityfocus com
> Subject: Re: Suggestions
>
> Hey, you're going to have to figure out some way of making 
> this AI learn. I 
> suggest a neural net, and when it learns something it 
> connects neurons 
> together. When something is learned, tested, fork that neuron 
> set, and each 
> time you have a new intrusion learned, it will have a much 
> faster reaction 
> time. The problem is, your system will have to connect the 
> 'dots.' This means 
> that atleast one system will have to be infected/intruded for 
> it to know that 
> something 'bad' happened, and want to prevent against it next 
> time. I suppose 
> this could be linked to a huge network, so when ever a 
> computer is infected 
> it uploads the new neuron set to some kind of data base, 
> effectively making 
> that kind of intrusion impossible on all machines running 
> this software.
>
> On Tuesday 25 May 2004 12:10, Thiago dos Santos Guzella wrote:
> > Hi there,
> >
> > I am taking part in a research project on artificial 
> inteligence, and my
> > objective is to create a IDS (possibly hybrid), capable of detecting
> > attacks never seeing before (by using some artificial inteligence
> > algorithms). I would like to hear suggestions on which 
> aspects of network
> > trafiic should I focus on ...
> > Thanks in advance.
>
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------