I was open the spectrum of the idea. You refer some experience with NIDS and
João give some clues how you can do that.
On Fri, Mar 25, 2011 at 1:34 PM, Kay <[email protected]> wrote:
> I am not quite clear about what functions a personal IDS should have. What
> about the followings:
> 1) Port-scan detection(Includes lots of types, UDP/SYN/FIN,etc.),
> 2) Syn-attack detection (can be implemented with a bitmap method I have
> read in a paper)
> 3) Ping flood detection
> 4) What the attacker is looking for, I think I need time to study the
> regular scan methods and the OS fingerprints so that I can evaluate the
> workload
>
> Frankly speaking, I am a bit confused about what to do in the project. Can
> you give some suggestions about it?
>
>
There is a possibility to present a proposal with a IDS for Umit Project,
indeed. The topics that you point out are a good start. And you can check
material that João has shared with you. :)
> Thanks.
> --Kay
>
>
>
> On Fri, Mar 25, 2011 at 10:06 AM, Luis A. Bastiao Silva <
> [email protected]> wrote:
>
>> Hi,
>>
>> On Fri, Mar 25, 2011 at 1:36 AM, Kay <[email protected]> wrote:
>>
>>> Thanks for your suggestion.
>>>
>>> About the port-scan, how about this way: Pick a few sets of ports
>>> randomly at a certain interval(for instance, 30s), calculate their
>>> access time difference. If most of the results are less than a certain
>>> value(3s), and the access time are all within the latest interval
>>> (current_time-interval ~ current_time). We can report this as an event of
>>> port-scan which happens in the last interval.
>>>
>>
>> It's a basic approach. Certainly, you're on the right way. Nevertheless,
>> there are several papers discussing the subject. I'm going to point out one
>> of them:
>>
>> http://www.aloul.net/Papers/faloul_iwcmc08.pdf
>>
>> @ignotus21 (João): Do you have any own theory for such feature?
>>
>>
>>>
>>> I have took a look at the UMPA, it's really a good work =) I think you
>>> mean that I can use it to sniff packets and analysis the captured packets to
>>> detect intrusion.
>>>
>>
>> Yes, also you can use Audit Framework. There are several passive audits.
>> So IDS should be a new one. Take a look:
>>
>> http://trac.umitproject.org/wiki/AuditFramework
>> and
>> http://trac.umitproject.org/browser/packet-manipulator/trunk/audits <-
>> Passive + Active
>>
>>
>>
>>
>>>
>>> I am not quite familiar with statistical analysis. What I have been
>>> focused on is the multi-core architecture and how to accelerate network
>>> processing on it. I'd like to know exactly what functions should have in a
>>> personal NIDS so that I can evaluate if I have the ability to work on this
>>> project. Port-scan detection, DDoS detection, or something else?
>>>
>>
>> Indeed, it is a good idea.
>> Port-scan detectiong and DDoS has a huge spectrum. For instance, detect
>> malware on networks, software that polls servers, etc.
>> It will be nice also to know what attacker is looking for:
>> Services/Services Information/OS Fingerprints.
>>
>>
>>>
>>> Best regards,
>>> --Kay
>>>
>>>
>>>
>>> On Thu, Mar 24, 2011 at 7:49 PM, [email protected] <
>>> [email protected]> wrote:
>>>
>>>> Dear Kay,
>>>>
>>>> When I was reading your e-mail I have some ideas that I wish to share
>>>> with you...
>>>>
>>>> On Thu, Mar 24, 2011 at 6:45 AM, Luis A. Bastiao Silva
>>>> <[email protected]> wrote:
>>>> > Hello Kay,
>>>> > On Thu, Mar 24, 2011 at 7:08 AM, Kay <[email protected]> wrote:
>>>> >>
>>>> >> Hi, all
>>>> >> I am a master student of computer science in University of Science
>>>> and
>>>> >> Technology of China and want to participate in GSoC 2011. The focus
>>>> of my
>>>> >> lab program lies in building parallel NIDS on multi-core platforms,
>>>> and
>>>> >> based on the lab experimens I built a high-performance parallel HTTP
>>>> parser
>>>> >> which can achieve at least 5Gbps line rate in a harsh environment.
>>>> >
>>>> > Thanks for introduce yourself. It should be a cool research area, for
>>>> sure!
>>>>
>>>> It sounds someone is able to write a possible new Umit application...
>>>> What you guys think about a personal NIDS (using UMPA)?
>>>>
>>>> >> The HTTP parser I built is aimed at measuring network latencies(match
>>>> the
>>>> >> request and response to get the time difference). I am experienced
>>>> with C
>>>> >> and specialized in network domain knowledge. Frankly speaking, I know
>>>> Python
>>>> >> a little and only wrote a few small programs with it. But I think I
>>>> can
>>>> >> learn it quickly and use it in the development.
>>>>
>>>> It seems you are friend of statistical analysis. So, let me point out
>>>> one idea:
>>>> - It is possible to that my machine is being attacked by a port-scan?
>>>> - Even if the only information I have is the port's time access?
>>>>
>>>> > Indeed. If you already know C, enhance Python will not be an issue.
>>>> >
>>>> >>
>>>> >> So I want to do some work in the network domain and found the
>>>> "5. Packet
>>>> >> Tracker Platform" suitable for me. The "Jitter based" and
>>>> >> "Dipacket Inspection: inspect packet contents (e.g. HTTP contents)"
>>>> is
>>>> >> related to my previous project.
>>>> >
>>>> > Sure. This idea is over network-domain, mainly focuses into
>>>> > packet analyses.
>>>> >
>>>> >>
>>>> >> However, I found this idea is not that specific. Maybe because my
>>>> lack of
>>>> >> domain knowledge or poor in English, I don't quite understand the
>>>> "Detect
>>>> >> packets with debit (e.g. more/less than 100Kb/s)"
>>>> >>
>>>> >> Can someone give me detailed information about this idea and where I
>>>> >> should begin with to learn something or make some contributions now?
>>>> >
>>>> > Yes, of course.
>>>> >
>>>> > Read http://trac.umitproject.org/wiki/PacketManipulator
>>>> > Checkout source of PacketManipulator
>>>> >
>>>> > svn co
>>>> http://svn.umitproject.org/svnroot/umit/packet-manipulator/trunk
>>>> > PacketManipulator
>>>> >
>>>> > Read http://trac.umitproject.org/wiki/AuditFramework and related
>>>> links
>>>> >
>>>> > In this idea, it expected to has a real-time statistic depend on the
>>>> amount
>>>> > of sniffed packets.
>>>> >
>>>> > Packets
>>>> > Multicast/Broadcast packets
>>>> > IPv4/IPv6
>>>> > Bytes
>>>> > Fragments
>>>> > Detect retransmissions/error packets
>>>> > Count of packets by protocol
>>>> > etc.
>>>> >
>>>> > Such information should presented in the GUI of PacketManipulator (for
>>>> > instance, expand Host Table into Packet Manipulator GUI).
>>>> > Also, the end-user should be able to configure an alarm/event, e.g.
>>>> when
>>>> > detect a specific packet from/to a destination. Such details, should
>>>> be
>>>> > exploit into the proposal. More tips:
>>>> >
>>>> > Define a threshold of utilization
>>>> > Define latency threshold
>>>> >
>>>> > Finally, to present a GSoC proposal take a look:
>>>> >
>>>> > http://www.umitproject.org/?active=gsoc&mode=ideas&lang=en
>>>> > http://www.umitproject.org/?active=gsoc&mode=tips&lang=en
>>>> > http://www.google-melange.com/gsoc/org/show/google/gsoc2011/umit
>>>> >
>>>> > I'm look forward to discussing more details about this proposal. If
>>>> you have
>>>> > any doubts, do not hesitate to contact us for further details.
>>>> >
>>>> >
>>>> >> Thanks a lot!
>>>> >> --Kay
>>>> >>
>>>> >>
>>>> >>
>>>> ------------------------------------------------------------------------------
>>>> >> Enable your software for Intel(R) Active Management Technology to
>>>> meet the
>>>> >> growing manageability and security demands of your customers.
>>>> Businesses
>>>> >> are taking advantage of Intel(R) vPro (TM) technology - will your
>>>> software
>>>> >> be a part of the solution? Download the Intel(R) Manageability
>>>> Checker
>>>> >> today! http://p.sf.net/sfu/intel-dev2devmar
>>>> >> _______________________________________________
>>>> >> Umit-devel mailing list
>>>> >> [email protected]
>>>> >> https://lists.sourceforge.net/lists/listinfo/umit-devel
>>>> >>
>>>> >
>>>> >
>>>> > Best Regards,
>>>> > --
>>>> > Luís A. Bastião Silva
>>>> > Skype: koplabs
>>>> > http://www.bastiao.org
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > Enable your software for Intel(R) Active Management Technology to meet
>>>> the
>>>> > growing manageability and security demands of your customers.
>>>> Businesses
>>>> > are taking advantage of Intel(R) vPro (TM) technology - will your
>>>> software
>>>> > be a part of the solution? Download the Intel(R) Manageability Checker
>>>> > today! http://p.sf.net/sfu/intel-dev2devmar
>>>> > _______________________________________________
>>>> > Umit-devel mailing list
>>>> > [email protected]
>>>> > https://lists.sourceforge.net/lists/listinfo/umit-devel
>>>>
>>>> --
>>>> Att, João Medeiros
>>>>
>>>
>>>
>> if you have any doubts, let us know. I'm look forward to know more details
>> about your proposal
>>
>>
>> Best Regards,
>> --
>> Luís A. Bastião Silva
>> Skype: koplabs
>> http://www.bastiao.org
>>
>>
>
Keep in touch.
Best Regards,
--
Luís A. Bastião Silva
Skype: koplabs
http://www.bastiao.org
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Umit-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/umit-devel
