Honeypots mailing list archives
Re: deploying honeypots...
From: Valdis.Kletnieks () vt edu
Date: Mon, 22 Aug 2005 12:24:51 -0400
On Mon, 22 Aug 2005 15:03:04 +0200, Damiano Bolzoni said:
cyb3rh3b () kecoak or id wrote:neural network will take an action needed from traffic it read and decide i
f
those new traffic is dangerous to system, if so then it will disconnect the connection (well...it's one of the action will be taken).Well, I think that you're going to re-connect your system often :) IMHO, using only neural network to detect intrusion (that's it, you want to recognize an intrusion attempt) will detect frequently false positive events. Maybe this situation doesn't matter for you.
The part I was wondering about was what he was planning to use as a learning function - neural networks only make sense if you have feedback telling it if the previous decision was correct or not. Also, looking at some random packet, you really can't judge if it's legitimate traffic or not unless you have some understanding of the protocol. Now imagine: You train the neural net by feeding it 5 million random web pages that contain javascript, and for each page you only give it a hint "Hinky" or "Not Hinky". Although you can get pretty fast convergence for computer vision if it's being told "cube", "sphere", or "torus", it's going to take a *long* time for that net to learn which %90%90 encodings and document.foo references are hinky and which are legitimate. And *how* do you recognize a buffer overflow when the protocol spec says some given ascii string can be 1024 bytes long, the programmer only provides 256 bytes of buffer, and the attacker has crafted an all-ascii exploit string? Not that it's *impossible* for it to work - but I see some basic innate difficulties in this approach.
Attachment:
_bin
Description:
Current thread:
- deploying honeypots... cyb3rh3b (Aug 19)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 21)
- Re: deploying honeypots... Barrie Dempster (Aug 24)
- Re: deploying honeypots... cyb3rh3b (Aug 20)
- <Possible follow-ups>
- RE: deploying honeypots... Connell, Graeme S (Aug 20)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Damiano Bolzoni (Aug 22)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 22)
- Re: deploying honeypots... Damiano Bolzoni (Aug 23)
- Re: deploying honeypots... Valdis . Kletnieks (Aug 24)
- RE: deploying honeypots... cyb3rh3b (Aug 20)
- Re: deploying honeypots... Ahmed Ameen (Aug 20)
- RE: RE: deploying honeypots... Chen Zhang (Aug 21)
- Re: RE: deploying honeypots... Barrie Dempster (Aug 24)
- Re: RE: deploying honeypots... cyb3rh3b (Aug 26)