Honeypots mailing list archives
Re: deploying honeypots...
From: Valdis.Kletnieks () vt edu
Date: Tue, 23 Aug 2005 14:26:31 -0400
On Tue, 23 Aug 2005 16:31:18 +0200, Damiano Bolzoni said:
Valdis.Kletnieks () vt edu wrote:The part I was wondering about was what he was planning to use as a learning function - neural networks only make sense if you have feedback telling it if the previous decision was correct or not.What about unsupervised learning?
You need *some* sort of feedback telling it how its performance is. Just hooking the feedback function to '0', '1' or 'rnd(x)' isn't going to produce very good learning. A neural net driving (for instance) a robot arm that needs to grasp and lift something has a very good feedback function - if it tries to lift and gets a "claw empty" sensor reading, it knows it dropped the object. If it lifts and the claw is grasping something, it knows it succeeded. Even without further supervision, that arm will eventually learn. But lacking either supervision or a sane feedback function, no good can come from it.
And *how* do you recognize a buffer overflow when the protocol spec says some given ascii string can be 1024 bytes long, the programmer only provides 256 bytes of buffer, and the attacker has crafted an all-ascii exploit string?I don't want to start a flame but...how much do you know about neural network used for intrusion detection purposes?
That example was to show that you can't even feed it the protocol specs and a rule that says "Malformed packets are bad", because you can have a well-formed packet that's malicious because it takes advantage of a misimplementation of the specification. Your best bet is probably to build up a test set of several hundred gigabytes of "good" production traffic (which will inevitably be site-dependent) - a reasonably good method for that would be "snarf all traffic that does *not* have a Snort signature" (otherwise if your production net happens to have a Blaster or Nachi still active, the net will learn it as "normal"). And even then, as you correctly noted earlier, the best it can do is flag things as "unusual" or "suspicious". Being able to flag "malicious" requires that it be able to discern the motives and intentions of the sending entity.
Attachment:
_bin
Description:
Current thread:
- Re: deploying honeypots..., (continued)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 21)
- Re: deploying honeypots... Barrie Dempster (Aug 24)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- RE: deploying honeypots... Connell, Graeme S (Aug 20)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Damiano Bolzoni (Aug 22)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 22)
- Re: deploying honeypots... Damiano Bolzoni (Aug 23)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 24)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- RE: RE: deploying honeypots... Chen Zhang (Aug 21)
- Re: RE: deploying honeypots... Barrie Dempster (Aug 24)
- Re: RE: deploying honeypots... cyb3rh3b (Aug 26)