Hey Robert!

On Nov 16, 2013, at 11:53 AM, Robert Bruce <precious.king...@gmail.com> wrote:

> Hi, hope all of you will be fine and doing your best for the development of
> open source community.
> 
> I want your suggestions and help regarding my project. I am going to start
> my master's thesis in the domain of Cloud Computing
> I want to develop a Signature Based Distributed Intrusion Detection System
> (DIDS) to detect distributed intrusions in Cloud environment.
> Yes, I intend to deploy it in CloudStack.

First thought: signature-based systems are useless. They're great for 
low-hanging fruit, but anybody who takes the time to craft packets/binaries 
will circumvent it. Or worse, they'll craft packets to set it off and kill 
detection performance while they go about their real attack. For the early 
stages of your project they'll work fine, but architect things so you can swap 
that out for anomaly-based detection (or a mixture)

(Insert rant on signature based AV systems, the amount of money we've paid 
Symantec et al, and the increase - not decrease - in infected systems)

The main thing to consider - you might want to do some correlation on each 
host, but really you need a separate system to correlate between events seen by 
various hosts.

Also - what are you attempting to detect? Network intrusions? System 
intrusions? Public Internet or activity between hosts? Are you looking to work 
in CloudStack's basic network model, advanced with VLANs, or something with 
SDN? Also consider all the event data being generated by ACS itself. 

Plenty of space for you to do research in here, just thinking you might want to 
define things a little more narrow…also, look around - some of the three-letter 
government agencies are working on big-data analytics, not sure if any of the 
work is public or not yet[1].

John
1: This wasn't meant as a Snowden joke

Reply via email to