IDS mailing list archives
Re: Suggestions
From: Rishikesh Pande <rpande () vt edu>
Date: Sat, 29 May 2004 10:16:17 -0400
You may want to look at some of the research done by Matthew Williamson at HP labs. They introduced the concept of virus throttling, which does not involve any AI logic but still is *proven* to be effective for known and unknown threats. Of course, there are ways of flying under the radar, but then the effectiveness of the worm will decrease. Though I personally like the concept of A.I. being used for intrusion prediction, I have not seen a good prediction logic yet. Though it may simply be the task of putting it all together and coming up with a better system by simply borrowing from several different ideas.
Rishi On May 27, 2004, at 6:33 PM, Clint Bodungen wrote:
I'm involved in the same sort of project and we're using the idea of aproduct from Q1 Labs called QRadar (www.q1labs.com) as our foundation and expanding upon it. It uses network behavioral/anomaly analysis to determine whether or not an attack or worm propagation is immanent. Unfortunately, it stops short because it focuses mainly on network traffic trends and only haslimited packet analysis. One has to be able to monitor both networkstatistics as well as complete packets and TCP sessions. The problem with this is that it becomes a resource nightmare if you intend to track a large amount of TCP sessions for a lengthy amount of time. A true Hybrid solution would work best because you must have a way to determine whether or not the anomaly is a known or unknown threat. Obviously, the known threats will be identified by a signature. Once a signature matches it can be discarded and save resources. Analyzing the new, unknown anomaly is where the AI kicksin. When it detects an anomaly and starts analysis it has to determinewhether it is in fact malicious activity or something like standard networkperformance issues. That in itself would almost have to be somewhatsignature based on the backend somewhere in the AI algorithms wouldn't it?Another aspect we are looking at is how to develop the algorithms fordetecting convoluted attacks such as worms or exploits that use polymorphiccode. Any suggestions on that as well? -Clint ----- Original Message ----- Hi there,I am taking part in a research project on artificial inteligence, and my objective is to create a IDS (possibly hybrid), capable of detecting attacksnever seeing before (by using some artificial inteligence algorithms).I would like to hear suggestions on which aspects of network trafiic shouldI focus on ... Thanks in advance. -- Thiago dos Santos Guzella Linux User #354160 UIN 13465286----------------------------------------------------------------------- --------------------------------------------------------------------------- ----
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Suggestions Thiago dos Santos Guzella (May 26)
- RE: Suggestions Rishi Pande (May 26)
- Re: Suggestions Stefano Zanero (May 26)
- Re: Suggestions whitty reeve (May 27)
- Re: Suggestions Clint Bodungen (May 28)
- Re: Suggestions Rishikesh Pande (May 31)
- <Possible follow-ups>
- RE: Suggestions (infor) urko zurutuza (May 28)
- RE: Suggestions Drew Copley (May 28)
- Re: Re: Suggestions Thiago dos Santos Guzella (May 29)
- Re: Suggestions Rishikesh Pande (May 31)