In message <199602211956.VAA01488@central.ntua.gr>, giorgos adamopoulos writes: > >Would you like to have a Prolog-like based rule system that would do >intrusion detection? I think CLIPS could be a choise if one would >like to implement such a system. (This is just asking your opinion on >the Prolog style of programming). Hi all, I've been lurking on the list for a while, but this question prompted my response. I am curious about experiences people have had with expert-system or rule-based IDS. My reasoning is this: an expert system by definition needs an "expert" to build it. Installing crack and COPS doesn't make you a security expert, so where do you find this expertise? If a new intrusion is detected, do you have to wait for an "expert" to supply you with new rules, or can you "roll-your-own" rules tailored to your particular site and configuration? Secondly, can a rule based system capture all the nuances necessary to detect intrusions? A complete rule-based system would have to encode duration, sequence and partial ordering over indefinite periods of time. Is there a system out there that can provide this flexibility and still have a resonably useful interface? Many thanks, Mark. >giorgos adamopoulos (el90118@central.ntua.gr) -------------------------------------------------------------------- Mark Crosbie mcrosbie@cs.purdue.edu COAST Archive Maintainer security-archive@cs.purdue.edu COAST Group Tel: (317) 494-9313 Dept. of Computer Sciences Fax: (317) 494-0739 1398 Computer Sciences Building, Purdue University West Lafayette, IN 47907-1398, USA URL: http://www.cs.purdue.edu/people/mcrosbie (PGP key available here)