Thanks for your suggestion.
About the port-scan, how about this way: Pick a few sets of ports randomly
at a certain interval(for instance, 30s), calculate their access time
difference. If most of the results are less than a certain value(3s), and
the access time are all within the latest interval (current_time-interval ~
current_time). We can report this as an event of port-scan which happens in
the last interval.
I have took a look at the UMPA, it's really a good work =) I think you mean
that I can use it to sniff packets and analysis the captured packets to
detect intrusion.
I am not quite familiar with statistical analysis. What I have been focused
on is the multi-core architecture and how to accelerate network processing
on it. I'd like to know exactly what functions should have in a personal
NIDS so that I can evaluate if I have the ability to work on this project.
Port-scan detection, DDoS detection, or something else?
Best regards,
--Kay
On Thu, Mar 24, 2011 at 7:49 PM, [email protected] <[email protected]>wrote:
> Dear Kay,
>
> When I was reading your e-mail I have some ideas that I wish to share
> with you...
>
> On Thu, Mar 24, 2011 at 6:45 AM, Luis A. Bastiao Silva
> <[email protected]> wrote:
> > Hello Kay,
> > On Thu, Mar 24, 2011 at 7:08 AM, Kay <[email protected]> wrote:
> >>
> >> Hi, all
> >> I am a master student of computer science in University of Science and
> >> Technology of China and want to participate in GSoC 2011. The focus of
> my
> >> lab program lies in building parallel NIDS on multi-core platforms, and
> >> based on the lab experimens I built a high-performance parallel HTTP
> parser
> >> which can achieve at least 5Gbps line rate in a harsh environment.
> >
> > Thanks for introduce yourself. It should be a cool research area, for
> sure!
>
> It sounds someone is able to write a possible new Umit application...
> What you guys think about a personal NIDS (using UMPA)?
>
> >> The HTTP parser I built is aimed at measuring network latencies(match
> the
> >> request and response to get the time difference). I am experienced with
> C
> >> and specialized in network domain knowledge. Frankly speaking, I know
> Python
> >> a little and only wrote a few small programs with it. But I think I can
> >> learn it quickly and use it in the development.
>
> It seems you are friend of statistical analysis. So, let me point out one
> idea:
> - It is possible to that my machine is being attacked by a port-scan?
> - Even if the only information I have is the port's time access?
>
> > Indeed. If you already know C, enhance Python will not be an issue.
> >
> >>
> >> So I want to do some work in the network domain and found the "5. Packet
> >> Tracker Platform" suitable for me. The "Jitter based" and
> >> "Dipacket Inspection: inspect packet contents (e.g. HTTP contents)" is
> >> related to my previous project.
> >
> > Sure. This idea is over network-domain, mainly focuses into
> > packet analyses.
> >
> >>
> >> However, I found this idea is not that specific. Maybe because my lack
> of
> >> domain knowledge or poor in English, I don't quite understand the
> "Detect
> >> packets with debit (e.g. more/less than 100Kb/s)"
> >>
> >> Can someone give me detailed information about this idea and where I
> >> should begin with to learn something or make some contributions now?
> >
> > Yes, of course.
> >
> > Read http://trac.umitproject.org/wiki/PacketManipulator
> > Checkout source of PacketManipulator
> >
> > svn co http://svn.umitproject.org/svnroot/umit/packet-manipulator/trunk
> > PacketManipulator
> >
> > Read http://trac.umitproject.org/wiki/AuditFramework and related links
> >
> > In this idea, it expected to has a real-time statistic depend on the
> amount
> > of sniffed packets.
> >
> > Packets
> > Multicast/Broadcast packets
> > IPv4/IPv6
> > Bytes
> > Fragments
> > Detect retransmissions/error packets
> > Count of packets by protocol
> > etc.
> >
> > Such information should presented in the GUI of PacketManipulator (for
> > instance, expand Host Table into Packet Manipulator GUI).
> > Also, the end-user should be able to configure an alarm/event, e.g. when
> > detect a specific packet from/to a destination. Such details, should be
> > exploit into the proposal. More tips:
> >
> > Define a threshold of utilization
> > Define latency threshold
> >
> > Finally, to present a GSoC proposal take a look:
> >
> > http://www.umitproject.org/?active=gsoc&mode=ideas&lang=en
> > http://www.umitproject.org/?active=gsoc&mode=tips&lang=en
> > http://www.google-melange.com/gsoc/org/show/google/gsoc2011/umit
> >
> > I'm look forward to discussing more details about this proposal. If you
> have
> > any doubts, do not hesitate to contact us for further details.
> >
> >
> >> Thanks a lot!
> >> --Kay
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Enable your software for Intel(R) Active Management Technology to meet
> the
> >> growing manageability and security demands of your customers. Businesses
> >> are taking advantage of Intel(R) vPro (TM) technology - will your
> software
> >> be a part of the solution? Download the Intel(R) Manageability Checker
> >> today! http://p.sf.net/sfu/intel-dev2devmar
> >> _______________________________________________
> >> Umit-devel mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/umit-devel
> >>
> >
> >
> > Best Regards,
> > --
> > Luís A. Bastião Silva
> > Skype: koplabs
> > http://www.bastiao.org
> >
> >
> ------------------------------------------------------------------------------
> > Enable your software for Intel(R) Active Management Technology to meet
> the
> > growing manageability and security demands of your customers. Businesses
> > are taking advantage of Intel(R) vPro (TM) technology - will your
> software
> > be a part of the solution? Download the Intel(R) Manageability Checker
> > today! http://p.sf.net/sfu/intel-dev2devmar
> > _______________________________________________
> > Umit-devel mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/umit-devel
>
> --
> Att, João Medeiros
>
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Umit-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/umit-devel
