This is in response to Justin Lister's posting asking whether folks have used other methods, such as Dempster/Schaefer, for intrusion detection. At SRI we had a small internally funded research project to investigate the use of model-based reasoning for intrusion detection (paper was published at the National Computer Security Conference a couple of years ago; when I get organized (I just moved) I will be happy to email or mail you a copy of the paper if you send me your address. In this study, we considered implementing the model-based intrusion detection using an AI tool developed at SRI that uses Dempster/Schaefer reasoning. The tool is called Gister (TM) and is available from SRI for relatively low cost. The tool has a nice graphical interface and would allow for easy specification of various intrusion "models" or components thereof. To do this, no new technology development is necessary, although some engineering and coding would be necessary to integrate this into an existing intrusion detection framework (such as SRI's NIDES). We conducted a series of meetings with folks from the security and law enforcement communities to try to elicit "models" of intrusion that could be represented and reasoned about in such a framework. We wanted to work top down starting with motivations (fun and games, showing off, profit, fraud, revenge, industrial espionage, political/ ideological, foreign espionage, etc), which would be system-independent, and work down from there, elaborating on specific scenarios and eventually on how these would show up in the audit trails (there lower-level detailed elaborations would necessarily be system- dependent). We basically concluded that for most scenarios (e.g., fraud, theft) we could not come up with a generic model (the models would be several, and specific to the type of crime, type of system, type of establishment, etc), and also for most scenarios there was not the wealth of detail and statistically meaningful number of samples that would be needed to elaborate with confidence these high-level or mid-level scenarios. What we CAN elaborate with some degree of confidence is the type of low-level scenario that most intrusion-detection systems are already embodying in their rulebases or attack signatures. Thus, there is really nothing new to be gained here (in my opinion). The situation is even worse with Bayesian approaches, because more detailed statistical information is needed and MUST be supplied even when you are only guessing with little confidence (e.g., 28% of the time when a user does "who" it is an intruder). Gister (and the Dempster/Schaefer approach) allows you to supply ranges of probabilities, which can be very broad when you are in ignorance of the numbers. Guessing the conditional probabilities in a Bayesian approach will lead to erroneous results. With D/S you can indicate where you are ignorant, and the answer will reflect that in a degree of confidence. However, if you are ignorant of too many things, you will still get meaningless results (but at least you will be TOLD the results are meaningless!). In intrusion detection, I believe that we simply don't have the numbers to build these models with any confidence. Teresa