[632] in Intrusion Detection Systems
Re: Question. (Was re:hacker's intro)
daemon@ATHENA.MIT.EDU (Mark Joseph Crosbie)
Sun Feb 25 19:35:02 1996
To: ids@uow.edu.au
In-Reply-To: Your message of "Wed, 21 Feb 1996 21:56:39 +0200."
<199602211956.VAA01488@central.ntua.gr>
Date: Fri, 23 Feb 1996 11:27:20 -0500
From: mcrosbie@cs.purdue.edu (Mark Joseph Crosbie)
Reply-To: ids@uow.edu.au
In message <199602211956.VAA01488@central.ntua.gr>, giorgos adamopoulos writes:
>
>Would you like to have a Prolog-like based rule system that would do
>intrusion detection? I think CLIPS could be a choise if one would
>like to implement such a system. (This is just asking your opinion on
>the Prolog style of programming).
Hi all,
I've been lurking on the list for a while, but this question prompted my
response. I am curious about experiences people have had with expert-system or
rule-based IDS. My reasoning is this: an expert system by definition needs an
"expert" to build it. Installing crack and COPS doesn't make you a security
expert, so where do you find this expertise? If a new intrusion is detected,
do you have to wait for an "expert" to supply you with new rules, or can you
"roll-your-own" rules tailored to your particular site and configuration?
Secondly, can a rule based system capture all the nuances necessary to detect
intrusions? A complete rule-based system would have to encode duration,
sequence and partial ordering over indefinite periods of time. Is there a
system out there that can provide this flexibility and still have a resonably
useful interface?
Many thanks,
Mark.
>giorgos adamopoulos (el90118@central.ntua.gr)
--------------------------------------------------------------------
Mark Crosbie mcrosbie@cs.purdue.edu
COAST Archive Maintainer security-archive@cs.purdue.edu
COAST Group Tel: (317) 494-9313
Dept. of Computer Sciences Fax: (317) 494-0739
1398 Computer Sciences Building, Purdue University
West Lafayette, IN 47907-1398, USA
URL: http://www.cs.purdue.edu/people/mcrosbie (PGP key available here)
