Hey Robert! On Nov 16, 2013, at 11:53 AM, Robert Bruce <precious.king...@gmail.com> wrote:
> Hi, hope all of you will be fine and doing your best for the development of > open source community. > > I want your suggestions and help regarding my project. I am going to start > my master's thesis in the domain of Cloud Computing > I want to develop a Signature Based Distributed Intrusion Detection System > (DIDS) to detect distributed intrusions in Cloud environment. > Yes, I intend to deploy it in CloudStack. First thought: signature-based systems are useless. They're great for low-hanging fruit, but anybody who takes the time to craft packets/binaries will circumvent it. Or worse, they'll craft packets to set it off and kill detection performance while they go about their real attack. For the early stages of your project they'll work fine, but architect things so you can swap that out for anomaly-based detection (or a mixture) (Insert rant on signature based AV systems, the amount of money we've paid Symantec et al, and the increase - not decrease - in infected systems) The main thing to consider - you might want to do some correlation on each host, but really you need a separate system to correlate between events seen by various hosts. Also - what are you attempting to detect? Network intrusions? System intrusions? Public Internet or activity between hosts? Are you looking to work in CloudStack's basic network model, advanced with VLANs, or something with SDN? Also consider all the event data being generated by ACS itself. Plenty of space for you to do research in here, just thinking you might want to define things a little more narrow…also, look around - some of the three-letter government agencies are working on big-data analytics, not sure if any of the work is public or not yet[1]. John 1: This wasn't meant as a Snowden joke
