IDS with AI?

**UpperCell** · September 1st, 2003, 04:01 AM

Just wanted to ask some of you all that would have an informed opinion about the idea of artificial intelligence in IDS's and firewalls

I've got a guy who's a wiz at AI and dabbles quite a bit in computer/network security and thinks it's a good idea, but he wants me and a friend to work on it with him. Acctually it's my friends Dad. He thinks we can train his latest ai implementation that he wrote in java to do ids stuff. and oh yeah, it's genetic, i.e. like natural selection type stuff where it rewrites it's own code based on what works. I'm not gonna try to understand the specifics at least yet. Though he wants to teach me.

Just wanted to throw something out for discussion. I'd love some ideas, but we're probably gonna try and market this, so you'd just be helping a goofy closed source (for now at least, he's got patents on the stuff) endeavor.

I don't have specifics yet, i'm a humble c++ coder turned PC tech, not exactly sure. I'm not even sure i'm gonna do it yet. He says we'd have to make modules that set ids info up for the ai to process. you know, do the scans, check the exe names, tell it how to tell what's going on on the comp. Well, that's all I know, and hadn't heard anything about it here yet, though i don't come here every day. thanks in advanced for comments

**Networker** · September 1st, 2003, 01:56 PM

That's a very interesting subject but I'm sorry to tell u that it is not a brand new subject.

I don't see really how a String based or signature based IDS such as snort would use an AI implementation since AI is not so far able to define new attacks signature.

But it could help for:
- signature-based active IDS that would dynamically take the decision to block e frame or reply with false information to a probe.
- False alarm & negative DoS
- log correlation
- a my opinion AI would hugely heuristics based IDS.

If a site is created for your project shares the url...

**UpperCell** · September 1st, 2003, 07:28 PM

I know it's not new, that's why I was asking for opinions and such. And we haven't even committed to it yet, so there's no site. But I'd be glad to pass it along if we set one up.

I'm just putting out something to talk about that's not a goofy newbie problem or whatever, just something to chat about, I thought it was interesting.

**linuxcomando** · September 1st, 2003, 09:00 PM

Its a cool idea, been messing with it for a while;however, i beleive cisco netranger has some what of an AI....Im not sure i would call it A.I but it does do **** automatically I suppose, like automatically block ip that are harrassing the network stuff like that, tweaks rule sets if there seems to be to many pos-falsitives....etc.

**UpperCell** · September 1st, 2003, 10:10 PM

that sounds more like an expert system, like most rule based ids's ai's different, It's supposed to learn/come up with it's own ideas and test them. Provided of course, you can write a module for it that gives it relavant data for tests

***nebulus200*** · September 2nd, 2003, 02:19 PM

My alma mater (university) is currently involved in a research tying IDS together with AI. I think they are currently using some sort of a neural net, but I haven't talked to the lead professor in a year or so about it (was thinking about making this a master's thesis topic).

Went to their web site to see if the abstracts were out there but unfortunately that section seems to be a good bit out of date.

/nebulus

**x acidreign x** · September 2nd, 2003, 02:32 PM

on one hand, it seems like that much more complicated code and therefore that much more that could go wrong, but then again, having a firewall or intrusion detection system that could independently make decisions as to what traffic goes in and out and what connections are valid, sounds pretty good to me.

**linuxcomando** · September 2nd, 2003, 04:35 PM

But we still would have the same problems with false positives, in fact i think you could actually have more just because if the ids tests an "idea" of its own and thinks it works, then what happens if that "idea" just screwed alot of users out of vpn access?

***i2c*** · September 2nd, 2003, 04:44 PM

It's a very good idea,

But surely if a machine is capable of figuring out new attacks, then your going to have a lot of script kiddies running AI programs to find new vunerabiltys, so the AI on an IDS would always have to be that one step ahead,

Very interesting idea, the implementation on neural nets really interest me,

I suppose the AI would basically be looking out for key factors in an attack, like port scans and the likes.

the thing is a system like this is brilliant it would just be let down by people writing down there passwords for others to see, dumpster diving and social engineering. the human factor really is the weak link.......as always

i2c

***nebulus200*** · September 2nd, 2003, 05:17 PM

But we still would have the same problems with false positives, in fact i think you could actually have more just because if the ids tests an "idea" of its own and thinks it works, then what happens if that "idea" just screwed alot of users out of vpn access?

This is exactly why my university is using Neural nets. The Neural net is able to learn what normal traffic looks like and based on what you tell it to ignore or not, will continually learn more and more to the point to where the chances of false positives are very small (in theory). The second benefit is you now have a reliable anomaly based IDS (not signature based) and have the potential to catch much more traffic than something like Snort (because they are signature based you can alter your attack to not match the signature yet still be effective). IMHO, in the next five years, this type of an approach will become the standard (in practice it will probably be a hybrid).

/nebulus

Thread: IDS with AI?

Thread Tools

Display

IDS with AI?

Posting Permissions