---------------------------------------------------------------------------- Well said, Ted! IHMO this is a question about programming paradigm. M= any early IDSs were developed as expert systems. We could have this long discussion a= bout whether or not they work, problems with knowledge acquisition and knowledge bas= e management, and so on. To keep it brief, there are different approaches to buildin= g intelligent systems: - rule based (forward chaining and backward chaining) - planning - neural nets to name just a few. To planning and RBSs you can add all sorts of vari= ations for probabilistic or evidential reasoning, too. Neural nets are one possib= le approach for developing pattern recognizers and learning systems. The technique= in the former is to "train" the net to recognize/categorize incoming data = with patters properly. In principle, the system is able to "learn", but RBS= s can be said to learn, too. For example, there wereseveral projects which demonstrated how to add "learned" rules to the KB on the fly. The real question is = whether the underlying model, in this case for the IDS, is robust enough to per= mit evolution or learning of new patterns. Luckily, there is a great deal = of research on expert and knowledge based systems, learning, and so on. IDSs are one particular area in which these computer science mechanisms= can be applied. Terry Terry Escamilla, Ph.D. Phone: 303-924-7860 Fax: 303-924-9727 Internet: terrye@us.ibm.com No= tes: Terry Escamilla/Austin/IBM@IBMUS IBM Corporation 6300 Diagonal Hwy, MS 010H Boulder, Co, 80301 ---------------------- Forwarded by Terry Escamilla/Austin/IBM on 02/26= /98 08:38 AM --------------------------- owner-ids@uow.edu.au on 02/26/98 08:01:41 AM Please respond to owner-ids@uow.edu.au @ internet To: GHAZNAVI@NET1CS.modares.ac.ir @ internet cc: ids@uow.edu.au @ internet Subject: Re: IDS: Simply a Question "?" -----------------------------------------------------------------------= ----- At 02:04 PM 2/26/98 +330, M.B., Ghaznavi-Ghoushchi wrote: >Can anyone tell me about the interrelation of Neural Nets and IDS ? There seem to be two basic technologies used to build IDS: attack signa= ture recognition and learning based IDS. Attack signature recognition defin= es explicit patterns as "bad", e.g. DNS updates containing IP addresses lo= nger than 4 octets (a DNS address length overflow attack). Learning based technology uses deviation from a norm to suggest malicious activity (th= e rules define how much deviation is "bad"). Each technology has its strengths and weaknesses. Attack signature IDS= will not trigger on an attack that is not a priori defined to the syste= m; learning systems require the establishment of a norm to test against, a= nd tend to have high levels of false positive reports (see the NIDES repor= t). Neural Nets are one way to build a learning based IDS. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE =