Re: IDS: Simply a Question "?"
Terry Escamilla (terrye@us.ibm.com)
Thu, 26 Feb 1998 10:47:45 -0500
----------------------------------------------------------------------------
Well said, Ted! IHMO this is a question about programming paradigm. M=
any
early IDSs
were developed as expert systems. We could have this long discussion a=
bout
whether
or not they work, problems with knowledge acquisition and knowledge bas=
e
management,
and so on. To keep it brief, there are different approaches to buildin=
g
intelligent systems:
- rule based (forward chaining and backward chaining)
- planning
- neural nets
to name just a few. To planning and RBSs you can add all sorts of vari=
ations
for
probabilistic or evidential reasoning, too. Neural nets are one possib=
le
approach
for developing pattern recognizers and learning systems. The technique=
in
the former is to "train" the net to recognize/categorize incoming data =
with
patters properly. In principle, the system is able to "learn", but RBS=
s can
be said to learn, too. For example, there wereseveral projects which
demonstrated
how to add "learned" rules to the KB on the fly. The real question is =
whether
the underlying model, in this case for the IDS, is robust enough to per=
mit
evolution or learning of new patterns. Luckily, there is a great deal =
of
research on expert and knowledge based systems, learning, and so on.
IDSs are one particular area in which these computer science mechanisms=
can be applied.
Terry
Terry Escamilla, Ph.D.
Phone: 303-924-7860 Fax: 303-924-9727
Internet: terrye@us.ibm.com No=
tes:
Terry Escamilla/Austin/IBM@IBMUS
IBM Corporation
6300 Diagonal Hwy, MS 010H
Boulder, Co, 80301
---------------------- Forwarded by Terry Escamilla/Austin/IBM on 02/26=
/98
08:38 AM ---------------------------
owner-ids@uow.edu.au on 02/26/98 08:01:41 AM
Please respond to owner-ids@uow.edu.au @ internet
To: GHAZNAVI@NET1CS.modares.ac.ir @ internet
cc: ids@uow.edu.au @ internet
Subject: Re: IDS: Simply a Question "?"
-----------------------------------------------------------------------=
-----
At 02:04 PM 2/26/98 +330, M.B., Ghaznavi-Ghoushchi wrote:
>Can anyone tell me about the interrelation of Neural Nets and IDS ?
There seem to be two basic technologies used to build IDS: attack signa=
ture
recognition and learning based IDS. Attack signature recognition defin=
es
explicit patterns as "bad", e.g. DNS updates containing IP addresses lo=
nger
than 4 octets (a DNS address length overflow attack). Learning based
technology uses deviation from a norm to suggest malicious activity (th=
e
rules define how much deviation is "bad").
Each technology has its strengths and weaknesses. Attack signature IDS=
will not trigger on an attack that is not a priori defined to the syste=
m;
learning systems require the establishment of a norm to test against, a=
nd
tend to have high levels of false positive reports (see the NIDES repor=
t).
Neural Nets are one way to build a learning based IDS.
- Ted
--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East | Fax: +1 770 395 1972
Atlanta, GA 30346 USA | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
=