Thanks for your information, it is very useful. I will dig into it =)
--Kay
On Fri, Mar 25, 2011 at 9:19 PM, [email protected] <[email protected]>wrote:
> Hi all,
>
> On Thu, Mar 24, 2011 at 11:06 PM, Luis A. Bastiao Silva
> <[email protected]> wrote:
> > Hi,
> >
> > On Fri, Mar 25, 2011 at 1:36 AM, Kay <[email protected]> wrote:
> >>
> >> Thanks for your suggestion.
> >> About the port-scan, how about this way: Pick a few sets of ports
> randomly
> >> at a certain interval(for instance, 30s), calculate their access time
> >> difference. If most of the results are less than a certain value(3s),
> and
> >> the access time are all within the latest interval
> (current_time-interval ~
> >> current_time). We can report this as an event of port-scan which happens
> in
> >> the last interval.
>
> That is the way! See this introducing article:
> http://www.phrack.org/issues.html?issue=53&id=13
> I'm waiting to look your draft proposal.
>
> > It's a basic approach. Certainly, you're on the right way. Nevertheless,
> > there are several papers discussing the subject. I'm going to point out
> one
> > of them:
> > http://www.aloul.net/Papers/faloul_iwcmc08.pdf
> > @ignotus21 (João): Do you have any own theory for such feature?
>
> I've attached one material related to a similar work I did in my
> Reinforcement Learning lessons. Unfortunately it is in Portuguese, but
> the equations and figures are self-explaining. :)
>
> >> I have took a look at the UMPA, it's really a good work =) I think you
> >> mean that I can use it to sniff packets and analysis the captured
> packets to
> >> detect intrusion.
> >
> > Yes, also you can use Audit Framework. There are several passive audits.
> So
> > IDS should be a new one. Take a look:
> > http://trac.umitproject.org/wiki/AuditFramework
> > and
> > http://trac.umitproject.org/browser/packet-manipulator/trunk/audits <-
> > Passive + Active
> >
> >
> >>
> >> I am not quite familiar with statistical analysis. What I have been
> >> focused on is the multi-core architecture and how to accelerate network
> >> processing on it. I'd like to know exactly what functions should have in
> a
> >> personal NIDS so that I can evaluate if I have the ability to work on
> this
> >> project. Port-scan detection, DDoS detection, or something else?
> >
> > Indeed, it is a good idea.
> > Port-scan detectiong and DDoS has a huge spectrum. For instance, detect
> > malware on networks, software that polls servers, etc.
> > It will be nice also to know what attacker is looking for:
> Services/Services
> > Information/OS Fingerprints.
> >
> >>
> >> Best regards,
> >> --Kay
> >>
> >>
> >> On Thu, Mar 24, 2011 at 7:49 PM, [email protected] <
> [email protected]>
> >> wrote:
> >>>
> >>> Dear Kay,
> >>>
> >>> When I was reading your e-mail I have some ideas that I wish to share
> >>> with you...
> >>>
> >>> On Thu, Mar 24, 2011 at 6:45 AM, Luis A. Bastiao Silva
> >>> <[email protected]> wrote:
> >>> > Hello Kay,
> >>> > On Thu, Mar 24, 2011 at 7:08 AM, Kay <[email protected]> wrote:
> >>> >>
> >>> >> Hi, all
> >>> >> I am a master student of computer science in University of Science
> and
> >>> >> Technology of China and want to participate in GSoC 2011. The focus
> >>> >> of my
> >>> >> lab program lies in building parallel NIDS on multi-core platforms,
> >>> >> and
> >>> >> based on the lab experimens I built a high-performance parallel HTTP
> >>> >> parser
> >>> >> which can achieve at least 5Gbps line rate in a harsh environment.
> >>> >
> >>> > Thanks for introduce yourself. It should be a cool research area, for
> >>> > sure!
> >>>
> >>> It sounds someone is able to write a possible new Umit application...
> >>> What you guys think about a personal NIDS (using UMPA)?
> >>>
> >>> >> The HTTP parser I built is aimed at measuring network
> latencies(match
> >>> >> the
> >>> >> request and response to get the time difference). I am experienced
> >>> >> with C
> >>> >> and specialized in network domain knowledge. Frankly speaking, I
> know
> >>> >> Python
> >>> >> a little and only wrote a few small programs with it. But I think I
> >>> >> can
> >>> >> learn it quickly and use it in the development.
> >>>
> >>> It seems you are friend of statistical analysis. So, let me point out
> one
> >>> idea:
> >>> - It is possible to that my machine is being attacked by a
> port-scan?
> >>> - Even if the only information I have is the port's time access?
> >>>
> >>> > Indeed. If you already know C, enhance Python will not be an issue.
> >>> >
> >>> >>
> >>> >> So I want to do some work in the network domain and found the
> >>> >> "5. Packet
> >>> >> Tracker Platform" suitable for me. The "Jitter based" and
> >>> >> "Dipacket Inspection: inspect packet contents (e.g. HTTP contents)"
> is
> >>> >> related to my previous project.
> >>> >
> >>> > Sure. This idea is over network-domain, mainly focuses into
> >>> > packet analyses.
> >>> >
> >>> >>
> >>> >> However, I found this idea is not that specific. Maybe because my
> lack
> >>> >> of
> >>> >> domain knowledge or poor in English, I don't quite understand the
> >>> >> "Detect
> >>> >> packets with debit (e.g. more/less than 100Kb/s)"
> >>> >>
> >>> >> Can someone give me detailed information about this idea and where I
> >>> >> should begin with to learn something or make some contributions now?
> >>> >
> >>> > Yes, of course.
> >>> >
> >>> > Read http://trac.umitproject.org/wiki/PacketManipulator
> >>> > Checkout source of PacketManipulator
> >>> >
> >>> > svn co
> http://svn.umitproject.org/svnroot/umit/packet-manipulator/trunk
> >>> > PacketManipulator
> >>> >
> >>> > Read http://trac.umitproject.org/wiki/AuditFramework and related
> links
> >>> >
> >>> > In this idea, it expected to has a real-time statistic depend on the
> >>> > amount
> >>> > of sniffed packets.
> >>> >
> >>> > Packets
> >>> > Multicast/Broadcast packets
> >>> > IPv4/IPv6
> >>> > Bytes
> >>> > Fragments
> >>> > Detect retransmissions/error packets
> >>> > Count of packets by protocol
> >>> > etc.
> >>> >
> >>> > Such information should presented in the GUI of PacketManipulator
> (for
> >>> > instance, expand Host Table into Packet Manipulator GUI).
> >>> > Also, the end-user should be able to configure an alarm/event, e.g.
> >>> > when
> >>> > detect a specific packet from/to a destination. Such details, should
> be
> >>> > exploit into the proposal. More tips:
> >>> >
> >>> > Define a threshold of utilization
> >>> > Define latency threshold
> >>> >
> >>> > Finally, to present a GSoC proposal take a look:
> >>> >
> >>> > http://www.umitproject.org/?active=gsoc&mode=ideas&lang=en
> >>> > http://www.umitproject.org/?active=gsoc&mode=tips&lang=en
> >>> > http://www.google-melange.com/gsoc/org/show/google/gsoc2011/umit
> >>> >
> >>> > I'm look forward to discussing more details about this proposal. If
> you
> >>> > have
> >>> > any doubts, do not hesitate to contact us for further details.
> >>> >
> >>> >
> >>> >> Thanks a lot!
> >>> >> --Kay
> >>> >>
> >>> >>
> >>> >>
> >>> >>
> ------------------------------------------------------------------------------
> >>> >> Enable your software for Intel(R) Active Management Technology to
> meet
> >>> >> the
> >>> >> growing manageability and security demands of your customers.
> >>> >> Businesses
> >>> >> are taking advantage of Intel(R) vPro (TM) technology - will your
> >>> >> software
> >>> >> be a part of the solution? Download the Intel(R) Manageability
> Checker
> >>> >> today! http://p.sf.net/sfu/intel-dev2devmar
> >>> >> _______________________________________________
> >>> >> Umit-devel mailing list
> >>> >> [email protected]
> >>> >> https://lists.sourceforge.net/lists/listinfo/umit-devel
> >>> >>
> >>> >
> >>> >
> >>> > Best Regards,
> >>> > --
> >>> > Luís A. Bastião Silva
> >>> > Skype: koplabs
> >>> > http://www.bastiao.org
> >>> >
> >>> >
> >>> >
> ------------------------------------------------------------------------------
> >>> > Enable your software for Intel(R) Active Management Technology to
> meet
> >>> > the
> >>> > growing manageability and security demands of your customers.
> >>> > Businesses
> >>> > are taking advantage of Intel(R) vPro (TM) technology - will your
> >>> > software
> >>> > be a part of the solution? Download the Intel(R) Manageability
> Checker
> >>> > today! http://p.sf.net/sfu/intel-dev2devmar
> >>> > _______________________________________________
> >>> > Umit-devel mailing list
> >>> > [email protected]
> >>> > https://lists.sourceforge.net/lists/listinfo/umit-devel
> >>>
> >>> --
> >>> Att, João Medeiros
> >>
> >
> > if you have any doubts, let us know. I'm look forward to know more
> details
> > about your proposal
> >
> > Best Regards,
> > --
> > Luís A. Bastião Silva
> > Skype: koplabs
> > http://www.bastiao.org
> >
>
>
>
> --
> Att, João Medeiros
>
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Umit-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/umit-devel
