Re: [logs] AI/adaptive/heuristic syslog analysis

From: Jon Stearley (jrstearat_private)
Date: Fri Dec 21 2001 - 10:44:44 PST

Next message: Bennet S. Yee: "Re: [logs] AI/adaptive/heuristic syslog analysis"

Previous message: Tina Bird: "Re: [logs] AI/adaptive/heuristic syslog analysis"
In reply to: dgillettat_private: "Re: [logs] AI/adaptive/heuristic syslog analysis"
Next in thread: Bennet S. Yee: "Re: [logs] AI/adaptive/heuristic syslog analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 21, 2001 at 02:25:15AM -0800, dgillettat_private wrote:
>   I have three basic concerns with this approach:
> 
> 1.  A stealthy/patient attacker might be able to stay "below radar" 
> while the system acclimates to his presence.  i.e. Normal/routine may 
> not equate to *authorized*.
> 
> 2.  Anent the recent thread about court admissability, it is likely 
> to become necessary to explain why such a system flagged some 
> particular traffic.  I haven't followed the field closely, but my 
> impression has long been that reporting/reproducing the learned 
> "reasoning" is a particularly thorny issue.
> 
> 3.  There remain persistent anecdotes to the effect that some 
> automated British defence system, during the 1982 Falklands war, 
> detected an incoming missile, identified it as an Exocet, and on that 
> basis classified it as "friendly" -- even though it was rapidly 
> closing on a British ship.  I think there has to remain some human 
> interface to the ruleset, so that for instance an administrator can 
> revoke permissions previously granted to some traffic.  I'm not sure 
> how else to get such a learning system to converge on policy changes 
> in an acceptable time.

three excellent points!  i agree absolutely.  definately, i see the ai
thing as a researchy approach rather than something i'd currently
employ to protect/defend anything valuable.  it's a fun thing (for me
anyway), but with significant potential i think.

here's two "computer immunology" links which are not directly related
to loganalysis, but are indirectly/philosophically in the current
context:
   http://www.cs.unm.edu/~immsec/
   http://www.iu.hio.no/~mark/research/immunology.html

my limited understanding of biological immune systems is that they are
much more effective at protecting a species than individuals.  this
has bad/unacceptable implications for the current client/server
computing model - especially because the servers are so easy to
identify!  but, as computing becomes more and more distributed, who
knows...

--
+--------------------------------------------------------------+
| Jon Stearley			(505) 845-7571  (FAX 844-2067) |
| Compaq Federal LLC		High Performance Solutions     |
| Sandia National Laboratories	Scalable Systems Integration   |
+--------------------------------------------------------------+


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Bennet S. Yee: "Re: [logs] AI/adaptive/heuristic syslog analysis"
Previous message: Tina Bird: "Re: [logs] AI/adaptive/heuristic syslog analysis"
In reply to: dgillettat_private: "Re: [logs] AI/adaptive/heuristic syslog analysis"
Next in thread: Bennet S. Yee: "Re: [logs] AI/adaptive/heuristic syslog analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 21 2001 - 11:19:11 PST