IDS with AI?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: IDS with AI?

  1. #1
    Senior Member
    Join Date
    Apr 2003
    Posts
    147

    IDS with AI?

    Just wanted to ask some of you all that would have an informed opinion about the idea of artificial intelligence in IDS's and firewalls

    I've got a guy who's a wiz at AI and dabbles quite a bit in computer/network security and thinks it's a good idea, but he wants me and a friend to work on it with him. Acctually it's my friends Dad. He thinks we can train his latest ai implementation that he wrote in java to do ids stuff. and oh yeah, it's genetic, i.e. like natural selection type stuff where it rewrites it's own code based on what works. I'm not gonna try to understand the specifics at least yet. Though he wants to teach me.

    Just wanted to throw something out for discussion. I'd love some ideas, but we're probably gonna try and market this, so you'd just be helping a goofy closed source (for now at least, he's got patents on the stuff) endeavor.

    I don't have specifics yet, i'm a humble c++ coder turned PC tech, not exactly sure. I'm not even sure i'm gonna do it yet. He says we'd have to make modules that set ids info up for the ai to process. you know, do the scans, check the exe names, tell it how to tell what's going on on the comp. Well, that's all I know, and hadn't heard anything about it here yet, though i don't come here every day. thanks in advanced for comments

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    That's a very interesting subject but I'm sorry to tell u that it is not a brand new subject.

    I don't see really how a String based or signature based IDS such as snort would use an AI implementation since AI is not so far able to define new attacks signature.

    But it could help for:
    - signature-based active IDS that would dynamically take the decision to block e frame or reply with false information to a probe.
    - False alarm & negative DoS
    - log correlation
    - a my opinion AI would hugely heuristics based IDS.

    If a site is created for your project shares the url...
    [shadow] SHARING KNOWLEDGE[/shadow]

  3. #3
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    I know it's not new, that's why I was asking for opinions and such. And we haven't even committed to it yet, so there's no site. But I'd be glad to pass it along if we set one up.

    I'm just putting out something to talk about that's not a goofy newbie problem or whatever, just something to chat about, I thought it was interesting.

  4. #4
    Senior Member linuxcomando's Avatar
    Join Date
    Sep 2001
    Posts
    430
    Its a cool idea, been messing with it for a while;however, i beleive cisco netranger has some what of an AI....Im not sure i would call it A.I but it does do **** automatically I suppose, like automatically block ip that are harrassing the network stuff like that, tweaks rule sets if there seems to be to many pos-falsitives....etc.
    I toor\'d YOU!

  5. #5
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    that sounds more like an expert system, like most rule based ids's ai's different, It's supposed to learn/come up with it's own ideas and test them. Provided of course, you can write a module for it that gives it relavant data for tests

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    My alma mater (university) is currently involved in a research tying IDS together with AI. I think they are currently using some sort of a neural net, but I haven't talked to the lead professor in a year or so about it (was thinking about making this a master's thesis topic).

    Went to their web site to see if the abstracts were out there but unfortunately that section seems to be a good bit out of date.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Deceased x acidreign x's Avatar
    Join Date
    Jul 2002
    Posts
    455
    on one hand, it seems like that much more complicated code and therefore that much more that could go wrong, but then again, having a firewall or intrusion detection system that could independently make decisions as to what traffic goes in and out and what connections are valid, sounds pretty good to me.
    :q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)

  8. #8
    Senior Member linuxcomando's Avatar
    Join Date
    Sep 2001
    Posts
    430
    But we still would have the same problems with false positives, in fact i think you could actually have more just because if the ids tests an "idea" of its own and thinks it works, then what happens if that "idea" just screwed alot of users out of vpn access?
    I toor\'d YOU!

  9. #9
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    It's a very good idea,

    But surely if a machine is capable of figuring out new attacks, then your going to have a lot of script kiddies running AI programs to find new vunerabiltys, so the AI on an IDS would always have to be that one step ahead,

    Very interesting idea, the implementation on neural nets really interest me,

    I suppose the AI would basically be looking out for key factors in an attack, like port scans and the likes.

    the thing is a system like this is brilliant it would just be let down by people writing down there passwords for others to see, dumpster diving and social engineering. the human factor really is the weak link.......as always

    i2c

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    But we still would have the same problems with false positives, in fact i think you could actually have more just because if the ids tests an "idea" of its own and thinks it works, then what happens if that "idea" just screwed alot of users out of vpn access?
    This is exactly why my university is using Neural nets. The Neural net is able to learn what normal traffic looks like and based on what you tell it to ignore or not, will continually learn more and more to the point to where the chances of false positives are very small (in theory). The second benefit is you now have a reliable anomaly based IDS (not signature based) and have the potential to catch much more traffic than something like Snort (because they are signature based you can alter your attack to not match the signature yet still be effective). IMHO, in the next five years, this type of an approach will become the standard (in practice it will probably be a hybrid).

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •