Nov 16 2007
pattern recognition
One time when I was in college, I went to an all night cartoon festival. Around 6am, after I’d been up for 24 hours straight, I began to see people who weren’t there. Out of the corner of my eye, I’d see a guy walking down the aisle of the theater, but when I’d turn my head, he’d disappear. My doctor had once told me a story of a similar thing happening to him. He’d been riding in a convertible with his friends, with the wind rushing all around them, listening to music on the radio. When they stopped, they realized the radio was off. Each of them had heard a different song playing.
The human brain, when exhausted, tends to find patterns where none exist. Different people are better at resolving patterns than others, and if you are too good, you can become psychotic. I’ve counseled a fair number of people in my role as a minister, and the psychotic ones are fascinating to talk to. I think everyone is a bit psychotic, but the brilliant ones tend to come up with stuff that’s straight out of science fiction. One guy convinced himself he was winning a battle against the devil based on what numbers he was throwing on a dartboard. Another guy thought Tom Brokaw was sending him secret messages via the evening news. Another thought that people could hear his thoughts.
Part of my job at Syracuse University is to do Intrusion Analysis. I look at the network traffic going in and out of the university and try to spot hackers, worms, viruses, spam, and other things that mean trouble. Since it’s impossible for me to inspect every bit of information that goes in or out, I use a type of software called an Intrusion Detection System, or IDS. It looks at all of the information coming in and tries to identify patterns that seem dangerous or suspicious.
For things where the rules are well defined, computers do a good job of pattern matching. In spam blocking, for instance, you can combine a technique known as bayesian analysis with a scoreboard of how well the email obeys the rules posted on the internet for how email is to be delivered, and get 97% success rate. Anyone who has trained their copy of Thunderbird knows how effective this combination can be.
For an IDS, however, the rules are not well defined. They tend to have an extremely poor signal to noise ratio. A freshly installed IDS is much like someone who is having a full-on schizophrenic episode. Nearly 100% of what it sees is a figment of its imagination. We’ve been evaluating IDS products for about six months now, since I changed job descriptions this past summer. Each time we begin a new evaluation, I am confronted with screens and screens of nonsense. “Oh my God! Hackers are trying to break into your calendar applications!” “No, you’re imagining things. We don’t run that program. You’re just seeing someone looking at Google Calendar. It’s OK.” “Wait! Holy Cow! Someone is breaking into your copy of Exchange RIGHT NOW!!!” “No, dude, that’s a Linux box. It’s not vulnerable. Relax.”
The latest one we’re looking at is Sourcefire 3D. It’s really good at detecting patterns, but most of them are not valid. So, I’ve spent all week playing amateur psychologist to a rack full of psychotic robots, each quivering with fear about how when the clock turns 6:66 Osama bin Laden will succeed with his plan to poison our breakfast cereal and how we can defeat his plan only by adding certain very specific firewall rules. Today the engineers are supposed to show up and help me to perform brain surgery on them. It’ll be nice to have some peace and quiet.
Leave a Reply
You must be logged in to post a comment.
