I am not quite clear about what functions a personal IDS should have. What
about the followings:
1) Port-scan detection(Includes lots of types, UDP/SYN/FIN,etc.),
2) Syn-attack detection (can be implemented with a bitmap method I have read
in a paper)
3) Ping flood detection
4) What the attacker is looking for, I think I need time to study the
regular scan methods and the OS fingerprints so that I can evaluate the
workload
Frankly speaking, I am a bit confused about what to do in the project. Can
you give some suggestions about it?
Thanks.
--Kay
On Fri, Mar 25, 2011 at 10:06 AM, Luis A. Bastiao Silva
<[email protected]>wrote:
> Hi,
>
> On Fri, Mar 25, 2011 at 1:36 AM, Kay <[email protected]> wrote:
>
>> Thanks for your suggestion.
>>
>> About the port-scan, how about this way: Pick a few sets of ports randomly
>> at a certain interval(for instance, 30s), calculate their access time
>> difference. If most of the results are less than a certain value(3s), and
>> the access time are all within the latest interval (current_time-interval ~
>> current_time). We can report this as an event of port-scan which happens in
>> the last interval.
>>
>
> It's a basic approach. Certainly, you're on the right way. Nevertheless,
> there are several papers discussing the subject. I'm going to point out one
> of them:
>
> http://www.aloul.net/Papers/faloul_iwcmc08.pdf
>
> @ignotus21 (João): Do you have any own theory for such feature?
>
>
>>
>> I have took a look at the UMPA, it's really a good work =) I think you
>> mean that I can use it to sniff packets and analysis the captured packets to
>> detect intrusion.
>>
>
> Yes, also you can use Audit Framework. There are several passive audits. So
> IDS should be a new one. Take a look:
>
> http://trac.umitproject.org/wiki/AuditFramework
> and
> http://trac.umitproject.org/browser/packet-manipulator/trunk/audits <-
> Passive + Active
>
>
>
>
>>
>> I am not quite familiar with statistical analysis. What I have been
>> focused on is the multi-core architecture and how to accelerate network
>> processing on it. I'd like to know exactly what functions should have in a
>> personal NIDS so that I can evaluate if I have the ability to work on this
>> project. Port-scan detection, DDoS detection, or something else?
>>
>
> Indeed, it is a good idea.
> Port-scan detectiong and DDoS has a huge spectrum. For instance, detect
> malware on networks, software that polls servers, etc.
> It will be nice also to know what attacker is looking for:
> Services/Services Information/OS Fingerprints.
>
>
>>
>> Best regards,
>> --Kay
>>
>>
>>
>> On Thu, Mar 24, 2011 at 7:49 PM, [email protected] <[email protected]
>> > wrote:
>>
>>> Dear Kay,
>>>
>>> When I was reading your e-mail I have some ideas that I wish to share
>>> with you...
>>>
>>> On Thu, Mar 24, 2011 at 6:45 AM, Luis A. Bastiao Silva
>>> <[email protected]> wrote:
>>> > Hello Kay,
>>> > On Thu, Mar 24, 2011 at 7:08 AM, Kay <[email protected]> wrote:
>>> >>
>>> >> Hi, all
>>> >> I am a master student of computer science in University of Science and
>>> >> Technology of China and want to participate in GSoC 2011. The focus
>>> of my
>>> >> lab program lies in building parallel NIDS on multi-core platforms,
>>> and
>>> >> based on the lab experimens I built a high-performance parallel HTTP
>>> parser
>>> >> which can achieve at least 5Gbps line rate in a harsh environment.
>>> >
>>> > Thanks for introduce yourself. It should be a cool research area, for
>>> sure!
>>>
>>> It sounds someone is able to write a possible new Umit application...
>>> What you guys think about a personal NIDS (using UMPA)?
>>>
>>> >> The HTTP parser I built is aimed at measuring network latencies(match
>>> the
>>> >> request and response to get the time difference). I am experienced
>>> with C
>>> >> and specialized in network domain knowledge. Frankly speaking, I know
>>> Python
>>> >> a little and only wrote a few small programs with it. But I think I
>>> can
>>> >> learn it quickly and use it in the development.
>>>
>>> It seems you are friend of statistical analysis. So, let me point out one
>>> idea:
>>> - It is possible to that my machine is being attacked by a port-scan?
>>> - Even if the only information I have is the port's time access?
>>>
>>> > Indeed. If you already know C, enhance Python will not be an issue.
>>> >
>>> >>
>>> >> So I want to do some work in the network domain and found the
>>> "5. Packet
>>> >> Tracker Platform" suitable for me. The "Jitter based" and
>>> >> "Dipacket Inspection: inspect packet contents (e.g. HTTP contents)" is
>>> >> related to my previous project.
>>> >
>>> > Sure. This idea is over network-domain, mainly focuses into
>>> > packet analyses.
>>> >
>>> >>
>>> >> However, I found this idea is not that specific. Maybe because my lack
>>> of
>>> >> domain knowledge or poor in English, I don't quite understand the
>>> "Detect
>>> >> packets with debit (e.g. more/less than 100Kb/s)"
>>> >>
>>> >> Can someone give me detailed information about this idea and where I
>>> >> should begin with to learn something or make some contributions now?
>>> >
>>> > Yes, of course.
>>> >
>>> > Read http://trac.umitproject.org/wiki/PacketManipulator
>>> > Checkout source of PacketManipulator
>>> >
>>> > svn co
>>> http://svn.umitproject.org/svnroot/umit/packet-manipulator/trunk
>>> > PacketManipulator
>>> >
>>> > Read http://trac.umitproject.org/wiki/AuditFramework and related links
>>> >
>>> > In this idea, it expected to has a real-time statistic depend on the
>>> amount
>>> > of sniffed packets.
>>> >
>>> > Packets
>>> > Multicast/Broadcast packets
>>> > IPv4/IPv6
>>> > Bytes
>>> > Fragments
>>> > Detect retransmissions/error packets
>>> > Count of packets by protocol
>>> > etc.
>>> >
>>> > Such information should presented in the GUI of PacketManipulator (for
>>> > instance, expand Host Table into Packet Manipulator GUI).
>>> > Also, the end-user should be able to configure an alarm/event, e.g.
>>> when
>>> > detect a specific packet from/to a destination. Such details, should be
>>> > exploit into the proposal. More tips:
>>> >
>>> > Define a threshold of utilization
>>> > Define latency threshold
>>> >
>>> > Finally, to present a GSoC proposal take a look:
>>> >
>>> > http://www.umitproject.org/?active=gsoc&mode=ideas&lang=en
>>> > http://www.umitproject.org/?active=gsoc&mode=tips&lang=en
>>> > http://www.google-melange.com/gsoc/org/show/google/gsoc2011/umit
>>> >
>>> > I'm look forward to discussing more details about this proposal. If you
>>> have
>>> > any doubts, do not hesitate to contact us for further details.
>>> >
>>> >
>>> >> Thanks a lot!
>>> >> --Kay
>>> >>
>>> >>
>>> >>
>>> ------------------------------------------------------------------------------
>>> >> Enable your software for Intel(R) Active Management Technology to meet
>>> the
>>> >> growing manageability and security demands of your customers.
>>> Businesses
>>> >> are taking advantage of Intel(R) vPro (TM) technology - will your
>>> software
>>> >> be a part of the solution? Download the Intel(R) Manageability Checker
>>> >> today! http://p.sf.net/sfu/intel-dev2devmar
>>> >> _______________________________________________
>>> >> Umit-devel mailing list
>>> >> [email protected]
>>> >> https://lists.sourceforge.net/lists/listinfo/umit-devel
>>> >>
>>> >
>>> >
>>> > Best Regards,
>>> > --
>>> > Luís A. Bastião Silva
>>> > Skype: koplabs
>>> > http://www.bastiao.org
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Enable your software for Intel(R) Active Management Technology to meet
>>> the
>>> > growing manageability and security demands of your customers.
>>> Businesses
>>> > are taking advantage of Intel(R) vPro (TM) technology - will your
>>> software
>>> > be a part of the solution? Download the Intel(R) Manageability Checker
>>> > today! http://p.sf.net/sfu/intel-dev2devmar
>>> > _______________________________________________
>>> > Umit-devel mailing list
>>> > [email protected]
>>> > https://lists.sourceforge.net/lists/listinfo/umit-devel
>>>
>>> --
>>> Att, João Medeiros
>>>
>>
>>
> if you have any doubts, let us know. I'm look forward to know more details
> about your proposal
>
>
> Best Regards,
> --
> Luís A. Bastião Silva
> Skype: koplabs
> http://www.bastiao.org
>
>
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Umit-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/umit-devel
