>This seems like it might be a useful approach to dealing with subtle and/or
>complex attacks, but maybe I've just got sand in my head. In the now-classic
>_Firewalls and Internet Security_, Bill Cheswick and Steve Bellovin pretty
>much write off the usefulness of AI systems in detection. I wasn't able
>to locate any papers exploring the subject, however. Does anyone know
>which AI systems have been considered for use, and why they were discarded?
Have worked extensively with AI (the cows don't mind it a bit) in the past
and always came to the same conclusion: Works fine so long as there is only
a local AI program & it is operated by experts.
The pattern is always the same: everything starts out well but as the program
"learns" new rules/thresholds things begin to drift and false positives/
negatives begin to accumulate. By restricting the ability to make changes,
the drift can be attenuated but not eliminated and in any complex system I've
studied (and if it were not complex, why would you need AI ?) this has
proven true. Elementary Chaos math.
Thus we always wound up back at a rules based expert system rather than AI,
and this was in the Lab. In the field heaven only knows what would have
happened. One project involved automatic test equipment (ATE) and seemed a
natural for AI. Tests would be ordered (not selected, just the order specified)
on the basis of history. Except that within hours we were spotting order
dependancies that were not (in fact could not) have been pre-determined.
Obviously, in a passive monitoring role, such a system would have much
less chance for induced error, however the possibility remains that a skillful
intruder, knowlegable of the system, could train the system in an unintended
manner that, like the AI ATE, could not be predicted with certainty.
Unfortunately, intruders always have more time to study our systems than we
do to protect them. We need to control all access, they need to find just one
opening. Consequently, IMHO, I cannot afford uncertainty in a security system
and AI assumes and requires uncertainty to function.