Australian developer Tier-3's ( www.tier-3.com/ ) intrusion detection software, Huntsman, incorporates four Artificial Intelligence techniques in the detection of attacks, the culmination of which means the solution is not reliant on attack signatures - a primary vulnerability in traditional virus scanners and intrusion detection software, according to head of development at Tier-3 Mike Cullen.
-The way a lot of security detection software works is to match the signature of a hacker...the trouble being that a different class of hacker will change their signature to disguise their behaviour," Cullen told ZDNet Australia.
The combination of components used by Tier-3 builds a series of AI rules that drops potential hacker requests without dependence on signatures, according to Cullen.
The Huntsman suite combines security management with intrusion detection on a single platform and the first AI function, forward chaining, directs intrusion events to the other AI components depending on the source or type of event it is.
A second AI technique, backward chaining, goes back and checks how these results were arrived at. -This is the key component to our generic overflow detection - which is heavily used to detect malicious buffer overflows," Cullen said.
Another methodology, machine learning, works in conjunction with the other AI components of the software to detect abnormal behaviour on the network. -A clever hacker will try to fit into the normal behaviour curve," Cullen said. -It's not enough to use just one technique on its own to detect this...we use a multiplicity of techniques," he added.
Huntsman also adopts an AI technique called distributed query, which initiates queries between a network of system to see if a combination of events raises an alarm.
The AI component combination also helps to protect against future mutations, which the use of signatures may not catch, according to Cullen.
-No other systems use Artificial Intelligence in this way. They may use one technique but it's the actual combination of the technology we use that makes it [Huntsman] unique," Cullen said. -These AI rules will distinguish a sequence of things that always occur and raise a red flag."
On the back of the recent blitz by the Code Red and Nimda worms, Tier-3 has released an IIS blocking module that uses these AI techniques, available as a free download from its Web site.
