RE: Neural Net based Host/Application Anomaly detection systems

From: Jackie Chan (blue0ne@bello.digitz.org)
Date: 02/21/02 

Date: Thu, 21 Feb 2002 08:16:46 -0500 (EST)
From: Jackie Chan <blue0ne@bello.digitz.org>
To: PuilingLam <puilinglam@hotmail.com>

It seems to me that in a true experiment, you wouldnt set out to prove
that one method is x% more effective than another. You would perform an
experiment in order to find out if one is more effective than another,
and over many experiements of the same kind derive an average.

-blue0ne

On Wed, 20 Feb 2002, PuilingLam wrote:

> Hi, All,
>
> I'm working the project which the same as your analysis engine. My
> approach is using Neural Network for IDS prediction. I have already
> capture a lot of TCP traffic from network. However, I do not know how to
> utilize these data. Could you guide me how to train the network and how
> do you perform the experiment to prove it is 10-20% more effective than
> pattern matching.
>
> Regards,
> George
>
> -----Original Message-----
> From: husmousa [mailto:husmousa@aucegypt.edu]
> Sent: Monday, February 18, 2002 3:41 AM
> To: focus-ids@securityfocus.com
> Subject: Neural Net based Host/Application Anomaly detection systems
>
> Hi All,
>
> as part of a 1 year graduation project we ( a team of 4 CSCI graduates)
> developed an application based anomaly detection system. By application
> based
> I mean we focused on securing certain applications (in our case Apache
> and pro
> ftp). The reason we choose this approach was due to the analysis mode we
> used.
> Our analysis engine was based on a neural network which simply tries to
> "categorize" access requests in clusters. These clusters have been
> previoiusly
> trained using lots and lots of log entries that have been grouped into
> categories (for example, normal, buffer overflow, cgi abuse, ... ).
>
> So far nothing new. the promise of this system though is that it has
> potential
> to detect previously unseen attacks. In fact in our limited lab tests we
> have
> isolated some logs and used them later to test our system (without being
>
> previously used in training). This can approximately mimic the real
> world case
> of new and modified attacks being used against IDS systems that can only
>
> detect known threats. Our initial results were impressive.
>
> Of course our system will never ever ever replace traditional
> signature/rule
> based IDS systems (such as snort, realsecure, etc...) but it can
> effectively
> add a good 10-20% of coverage power specifically against brand new
> attacks.
>
> I was deliberating on our next step. I wasn't so sure about how widely
> would
> such a product be accepted if offered as an open source standalone (or
> possibly as a plugin to SNORT).
> we still need to do some work on "commercializing" it basicly doing some
> more
> training and resolving some performance issues.
>
> I hope I can generate alot of feedback, thoughts, ideas, advice, ten
> cents,
> two cents about this project
>
> thanks
>
>
>

Relevant Pages
Quantcast