Re: Will data security technology benefit from Homeland Security?

["Marcus J. Ranum" <mjr () ranum com>]

Rick Smith at Secure Computing wrote:
> > 1) Has anyone explored the use of neural nets for IDSes?
>
> Answer: yes. Personally, I haven't been following IDS work very closely the past few
> years,but R&D people have definitely looked at it. I wouldn't even be surprised if a
> vendor or two claim to use some form of neural nets in their products.

Everyone tries it at least once, I think.. Neural nets are a common starting point
for IDS research. They don't work very well, for lots of reasons.

Mostly, it's because a neural net can't _explain_ anything. In fact, all of the
mathematical approaches for IDS I've seen appear to share this problem. So
after you've trained your 'net to recognize "normal" (which, in itself, is a hellaciously
difficult problem) it might detect a deviation from the norm but it can't tell you
anything about the meaning of the deviation. In fact, NNs mostly give you a
value that is so reduced to bare-bones that it's basically a "normal"/"not normal"
decision - figuring out what's not normal is the first step. Then, figuring out
what that _means_ is another big problem.

There's some interesting-seeming research in NNs for IDS that periodically
gets published but if you read between the lines you'll see lots of preprocessing,
postprocessing, tuning, and targeting of data sets. In other words, the results
are predictable because the inputs are controlled carefully. I'm not very impressed
at all with most of the mathematical approaches I've seen to IDS so far - and I've
seen more than my share of them.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards