Dark Forest
What if your IDS / IPS fought back?
Update 1: Project Overview
Date of posting: 7 November, 2025
The concept of ICE (intrusion countermeasures electronics) is not particularly new. Originally devised in cyberpunk media, ICE referred to software and hardware systems designed to detect, deter, and even defeat system intruders. At the time of its conception, ICE was largely theoretical and remained a fictional concept long after its first appearance in "Neuromance", by William Gibson. Current security systems are called IDS (intrusion detection systems) or IPS (intrusion prevention systems). These found everywhere and are purely defensive programs. Programmers and security experts have toyed with the idea of ICE, but there are not any known examples of a security system that actively fights back against intruders. Perhaps this is for good reason, as there are some legal and ethical concerns to an IDP / IPS that fight back. This stems from the problem of attribution. How can one be sure that the IP address attacking a system is that attacker? In nearly all cases (except for skiddies), it is not. Attackers very frequenlty use VPNs, proxies, botnets, and innocent machines to mask their true location and hide their identity. ICE that fights back could easily end up accidentally attack a random family's home computer, or a business server. Regarding the legal side, this is a huge risk to take. There is no self-defense in cyber space. Retaliatory attacks are just as illegal as the original attack. As such, ICE remains a finctional idea. I intend to change this. My project, named Dark Forest will utilize "active defense" when it detects an intruder. What is active defense and how might it be implemented? The program will respond in three different stages that I have denoted as the CWR (Crawl, Walk, Run) cycle. Dark Forest will likely forever remain a proof of concept, as I cannot risk deploying it on a real network (laws...).