> Byron Collie and Kymie Tan presented a paper in which they > described some uses of NNs for anomaly detection. This particular paper wasn't in my small collection, thanks for the link :-) > been seriously underwhelmed by most of the NN in IDS papers I've > seen. Me too. This is why I decided to give it a try. Most of the papers I have seen are packed full of proposals and hopes, and with very little practical approaches to real, even small-scale problems. > In my experience NNs are the _first_ thing that IDS newbies think > of trying... Of course. But they soon discover that NNs are not black magic. There's a lack of understanding of the inherent limits of a neural network in most of the papers I've seen. Just to reassure you - I do not believe in magic. Not when I'm not rolling RPG dice, at least :-) However, this is not exactly my first hand-to-hand with the Beast. As a true newbie I examined the rule-based approaches with a small project of my own (in CLIPS). Then I examined behavioral approaches, applying ethological concepts to the field and modelization with HMMs. I will present my work tomorrow at a small meeting here in Italy, and I will happily send you the complete paper as soon as I have time to finish it with full details of the algorithms. In the meanwhile I conceived of giving also a try to the neural network algorithm, and I am envisioning quite a different approach than usual, using unsupervised learning and clusterization techniques. > > is it possible to > >"reverse map" the output of such a neural network system to give alerts of > >any practical value ? > > That'd be a very interesting accomplishment! Indeed ! > How will you do that without > a knowledge base or expert system? Why should I work without a knowledge base ? A statistical approach of most kinds has been integrated in a wide range of projects based on expert system (IDES and STAT module, for instance. There are others but I do not have my notes at hand at the moment). An integrated approach is surely one of the possible outcomes of my research. On the other hand it is completely possible that useful information can be drawn directly from the network output. I'm unaware of successful research in the field (but I'm still reading and searching), but "never done" or "never tried" does not mean "impossible". Otherwise, we work in a field with an awful load of "impossible" machinery... > And if you have a knowledge base, We have used and researched knowledge based IDSes for years - we know their usefulness and their limits. As I said in my premise - I am not willing to "compare" the two approaches. They are complementary, as anyone here knows. They simply look for different things - and they should do exactly that. We are packed full of knowledge bases for intrusion detection - and in the usual meaning, "research" means trying to find out new ways for doing things. And failing, should that be the case, with an explanation of why something doesn't work. > Well, I don't think anomaly detection systems work for meaningful > values of "work" On the contrary, it is my opinion that an anomaly detection approach must be integrated with misuse detection, to make an IDS "work" with any meaningful value of "work". Just grab and compile ADMutate http://www.ktwo.ca/security.html ) if you need a proof that misuse detection is quite hopelessly limited. Stefano --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 11:28:16 PDT