Most of us have heard the boiled-frog story. Drop a frog into a pot of hot water and it jumps out. But if you put the frog into a pot of room-temperature water and gradually apply heat, the frog does not perceive the rising temperature and eventually gets cooked. (This is a good story but apparently scientific experiment does not support it. See www.uga.edu/srel/ecoview11-18-02.htm.)

How much is research and development in the computer security area like the slowly cooking frog? An idea starts out comfortable and promising but over time things heat up and, eventually, the idea gets "cooked." The problem is that inside the pot, things don't seem to change much and only someone on the outside can see the cooking that's going on.

The research equivalent of the boiled frog is the Degenerating Research Program (DRP) concept that science philosopher Imre Lakatos put forward. According to Lakatos, a DRP starts out as a reasonable approach to a knotty problem domain. Over time, additional constructs are introduced to handle exceptions. The research program turns inward, increasingly dealing with problems created by the research program itself, not the outside world. Eventually, a DRP collapses like a house of cards, unable to bear the weight of all the special cases it must handle.

Is intrusion detection system (IDS) research an example of a DRP? IDSs began as a promising paradigm in the 1980s. During the past 15 years, much has been proposed, implemented, tested, and documented. But in the end, aren't today's state-of-the-art IDSs nothing more than Rube Goldberg software machines, pieces cobbled together to handle one special case after another, not really integrated into their operational environments?

The outside observer in this case—someone who sees the frog cooking—might well be the Gartner Group (www.gartner.com). Last month, their Information Security Hype Cycle report declared that intrusion-detection technology will be hard boiled by 2005. The technology has failed to deliver on its promises and the high cost of dealing with false positives and negatives has become prohibitive to many organizations.

Whether this is true or not might be moot at this point, because many corporate IT decision makers will heed Gartner's exclusive reports. The fact is that end-user suspicions about IDS technology may quickly grow into outright disavowals. The word is out.

That DRPs happen at all should not trouble us. They are part of the normal dialectic in scientific revolution as Thomas Kuhn originally proposed in his seminal work, "The Structure of Scientific Revolutions" (University of Chicago Press, 1970). But what is troubling are two aspects of this situation. One is that an outside observer initiated the discussion, not the field's active researchers. This hurts all security researchers' credibility and objectivity because it challenges the methodology and propensity we have for critical thought. (I must note that there have been serious attempts to evaluate IDS performance. The inability to achieve conclusive results might have been an indicator of the DRP phenomenon!)

The other troubling aspect is that there is no obvious heir-apparent research program to replace the IDS paradigm. Relativity theory and quantum mechanics replaced the respective DRPs of their times. Without a new paradigm, there is no revolution in Kuhn's sense, only the collapse of an existing line of investigation. (Paradigms that might replace traditional intrusion detection include DARPA's Intrusion Tolerant Systems and Intrusion Prevention, an approach some IDS vendors are starting to explore.)

To be sure, networked security and privacy are new problem domains. We have to be patient and let our revolutions happen. Nonetheless, I suspect there are some valuable lessons to be learned about how open, self-critical thinking applies to our own field. Is it just me or is it really getting warm in here?