Re: IDS: Simply a Question "?"

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Terry Escamilla: "Re: IDS: Simply a Question "?""
• Previous message: Gregg Earnhart: "IDS: Where is the FAQ?"
• In reply to: M.B., Ghaznavi-Ghoushchi: "IDS: Simply a Question "?""
• Next in thread: Terry Escamilla: "Re: IDS: Simply a Question "?""

----------------------------------------------------------------------------
At 02:04 PM 2/26/98 +330, M.B., Ghaznavi-Ghoushchi wrote:

>Can anyone tell me about the interrelation of Neural Nets and IDS ?

There seem to be two basic technologies used to build IDS: attack signature
recognition and learning based IDS.  Attack signature recognition defines
explicit patterns as "bad", e.g. DNS updates containing IP addresses longer
than 4 octets (a DNS address length overflow attack).  Learning based
technology uses deviation from a norm to suggest malicious activity (the
rules define how much deviation is "bad").

Each technology has its strengths and weaknesses.  Attack signature IDS
will not trigger on an attack that is not a priori defined to the system;
learning systems require the establishment of a norm to test against, and
tend to have high levels of false positive reports (see the NIDES report).

Neural Nets are one way to build a learning based IDS.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

• Next message: Terry Escamilla: "Re: IDS: Simply a Question "?""
• Previous message: Gregg Earnhart: "IDS: Where is the FAQ?"
• In reply to: M.B., Ghaznavi-Ghoushchi: "IDS: Simply a Question "?""
• Next in thread: Terry Escamilla: "Re: IDS: Simply a Question "?""