September 24th, 2004, 06:49 PM
IDS detection algorithm
i want help with the detection part of the NIDS application i am devoloping for my scool project
is it possible to integrate AI algorithm to pattern detection? if yes how
September 24th, 2004, 07:27 PM
In general, patterns are just that, and involve looking up a pattern file using predefined algorithms.
Otherwise you need to look at behavioural parameters, accessing ports, files, running scripts, uploading, downloading. You need to decide what behaviour an intruder is likely to display.
A bit like setting up firewall rules.............define what is allowed and stop & report that which is not. It is not what I would describe as AI because by the time the IDS had determined if something was malicious or not it would be too late. You need to warn, and let a human make the decision, even if the activity is automatically blocked first time round.
just a thought
September 24th, 2004, 07:49 PM
thats its tough. but a good idea too.
AI is a very large subject. For that purpose you can use Neural networks (NN). Its NOT A easy think to do, so if you want do follow AI path, you will need a lot of research and patience.
You can achieve some 'inteligence" on your IDS creating a NN that has the ability of "learning".
then you will train your NN, presenting to it patterns representing "intrusion" and "normal behavior". After some time, NN will start to recognise pattern.
But is too large to explain here. you will need to read the basics of NN and try by yourself.
Other "fields" of AI are: Genetic Algorithms (GA) and Fuzzy logic. Ga is pretty easy (the concept, not the implementation) but Fuzzy logic is kinda weird.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
September 24th, 2004, 10:12 PM
There are two types of NIDS, (understand the difference between a NIDS and a HIDS).
Signature based: This relies upon known patterns within network packets to determine a threat.
Anomoly based: This relies upon a baseline of "normal" activity on a network and then alerts on activity that varies from the norm.
What you are suggesting is me.
In the final analysis the _person_ managing the security is the filter for the attackers. The subtleties that a human attacker can generate are almost endless. What you are looking for is a maintenance free IDS..... That's a dream.... It may come but you can never underestimate the ability of the human to subvert even the best "intelligent" thing, another human.... With that in mind it will be a long time before the computer can outwit the human.
Since this is a school project I would look into the complexies of AI and conclude that it's effective implementation in an IDS is many, many years away and that to implement one prematurely is only going to promote a false sense of security that will end in a failure of the system and therefore a compromise of the network.
Today, it's really that simple.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides