Re: RFC- Enforcing Computer Policy
tlunt@ARPA.MIL
Sat, 13 Aug 1994 16:54:16 -0400 (EDT)
This is in response to Justin Lister's posting asking whether folks have used
other methods, such as Dempster/Schaefer, for intrusion detection.
At SRI we had a small internally funded research project to investigate the
use of model-based reasoning for intrusion detection (paper was published at
the National Computer Security Conference a couple of years ago; when I get
organized (I just moved) I will be happy to email or mail you a copy of the
paper if you send me your address. In this study, we considered implementing
the model-based intrusion detection using an AI tool developed at SRI that
uses Dempster/Schaefer reasoning. The tool is called Gister (TM) and is
available from SRI for relatively low cost. The tool has a nice graphical
interface and would allow for easy specification of various intrusion "models"
or components thereof. To do this, no new technology development is
necessary,
although some engineering and coding would be necessary to integrate this
into an existing intrusion detection framework (such as SRI's NIDES). We
conducted
a series of meetings with folks from the security and law enforcement
communities
to try to elicit "models" of intrusion that could be represented and reasoned
about in such a framework. We wanted to work top down starting with
motivations
(fun and games, showing off, profit, fraud, revenge, industrial espionage,
political/
ideological, foreign espionage, etc), which would be system-independent,
and work down from there, elaborating on
specific scenarios and eventually on how these would show up in the audit
trails
(there lower-level detailed elaborations would necessarily be system-
dependent).
We basically concluded that for most scenarios (e.g., fraud, theft) we could
not
come up with a generic model (the models would be several, and specific to the
type of crime, type of system, type of establishment, etc), and also for most
scenarios there was not the wealth of detail and statistically meaningful
number
of samples that would be needed to elaborate with confidence these high-level
or mid-level scenarios. What we CAN elaborate with some degree of confidence
is the type of low-level scenario that most intrusion-detection systems are
already embodying in their rulebases or attack signatures. Thus, there is
really
nothing new to be gained here (in my opinion).
The situation is even worse with Bayesian approaches, because more detailed
statistical information is needed and MUST be supplied even when you are only
guessing with little confidence (e.g., 28% of the time when a user does "who"
it is an intruder). Gister (and the Dempster/Schaefer approach) allows you
to supply ranges of probabilities, which can be very broad when you are in
ignorance of the numbers. Guessing the conditional probabilities in a
Bayesian approach will lead to erroneous results. With D/S you can indicate
where you are ignorant, and the answer will reflect that in a degree of
confidence. However, if you are ignorant of too many things, you will still
get meaningless results (but at least you will be TOLD the results are
meaningless!). In intrusion detection, I believe that we simply don't have
the numbers to build these models with any confidence.
Teresa