Re: Suggestions

[Rishikesh Pande <rpande () vt edu>]

You may want to look at some of the research done by Matthew Williamson  
at HP labs. They introduced the concept of virus throttling, which does  
not involve any AI logic but still is *proven* to be effective for  
known and unknown threats. Of course, there are ways of flying under  
the radar, but then the effectiveness of the worm will decrease.
Though I personally like the concept of A.I. being used for intrusion  
prediction, I have not seen a good prediction logic yet. Though it may  
simply be the task of putting it all together and coming up with a  
better system by simply borrowing from several different ideas.
Rishi

On May 27, 2004, at 6:33 PM, Clint Bodungen wrote:

> I'm involved in the same sort of project and we're using the idea of a
> product from Q1 Labs called QRadar (www.q1labs.com) as our foundation  
> and
> expanding upon it.  It uses network behavioral/anomaly analysis to  
> determine
> whether or not an attack or worm propagation is immanent.   
> Unfortunately, it
> stops short because it focuses mainly on network traffic trends and  
> only has
> limited packet analysis.  One has to be able to monitor both network
> statistics as well as complete packets and TCP sessions.  The problem  
> with
> this is that it becomes a resource nightmare if you intend to track a  
> large
> amount of TCP sessions for a lengthy amount of time.  A true Hybrid  
> solution
> would work best because you must have a way to determine whether or  
> not the
> anomaly is a known or unknown threat.  Obviously, the known threats  
> will be
> identified by a signature.  Once a signature matches it can be  
> discarded and
> save resources.  Analyzing the new, unknown anomaly is where the AI  
> kicks
> in.  When it detects an anomaly and starts analysis it has to determine
> whether it is in fact malicious activity or something like standard  
> network
> performance issues.  That in itself would almost have to be somewhat
> signature based on the backend somewhere in the AI algorithms wouldn't  
> it?
> Another aspect we are looking at is how to develop the algorithms for
> detecting convoluted attacks such as worms or exploits that use  
> polymorphic
> code.  Any suggestions on that as well?
>
> -Clint
>
>
> ----- Original Message -----
>
> Hi there,
>
> I am taking part in a research project on artificial inteligence, and  
> my
> objective is to create a IDS (possibly hybrid), capable of detecting  
> attacks
> never seeing before (by using some artificial inteligence algorithms).
> I would like to hear suggestions on which aspects of network trafiic  
> should
> I
> focus on ...
> Thanks in advance.
> -- Thiago dos Santos Guzella
> Linux User #354160
> UIN 13465286
>
>
> ----------------------------------------------------------------------- 
> ----
>
> ----------------------------------------------------------------------- 
> ----


---------------------------------------------------------------------------

---------------------------------------------------------------------------