Hi,
On Fri, Mar 25, 2011 at 1:36 AM, Kay <[email protected]> wrote:
> Thanks for your suggestion.
>
> About the port-scan, how about this way: Pick a few sets of ports randomly
> at a certain interval(for instance, 30s), calculate their access time
> difference. If most of the results are less than a certain value(3s), and
> the access time are all within the latest interval (current_time-interval ~
> current_time). We can report this as an event of port-scan which happens in
> the last interval.
>
It's a basic approach. Certainly, you're on the right way. Nevertheless,
there are several papers discussing the subject. I'm going to point out one
of them:
http://www.aloul.net/Papers/faloul_iwcmc08.pdf
@ignotus21 (João): Do you have any own theory for such feature?
>
> I have took a look at the UMPA, it's really a good work =) I think you mean
> that I can use it to sniff packets and analysis the captured packets to
> detect intrusion.
>
Yes, also you can use Audit Framework. There are several passive audits. So
IDS should be a new one. Take a look:
http://trac.umitproject.org/wiki/AuditFramework
and
http://trac.umitproject.org/browser/packet-manipulator/trunk/audits <-
Passive + Active
>
> I am not quite familiar with statistical analysis. What I have been
> focused on is the multi-core architecture and how to accelerate network
> processing on it. I'd like to know exactly what functions should have in a
> personal NIDS so that I can evaluate if I have the ability to work on this
> project. Port-scan detection, DDoS detection, or something else?
>
Indeed, it is a good idea.
Port-scan detectiong and DDoS has a huge spectrum. For instance, detect
malware on networks, software that polls servers, etc.
It will be nice also to know what attacker is looking for: Services/Services
Information/OS Fingerprints.
>
> Best regards,
> --Kay
>
>
>
> On Thu, Mar 24, 2011 at 7:49 PM, [email protected]
> <[email protected]>wrote:
>
>> Dear Kay,
>>
>> When I was reading your e-mail I have some ideas that I wish to share
>> with you...
>>
>> On Thu, Mar 24, 2011 at 6:45 AM, Luis A. Bastiao Silva
>> <[email protected]> wrote:
>> > Hello Kay,
>> > On Thu, Mar 24, 2011 at 7:08 AM, Kay <[email protected]> wrote:
>> >>
>> >> Hi, all
>> >> I am a master student of computer science in University of Science and
>> >> Technology of China and want to participate in GSoC 2011. The focus of
>> my
>> >> lab program lies in building parallel NIDS on multi-core platforms, and
>> >> based on the lab experimens I built a high-performance parallel HTTP
>> parser
>> >> which can achieve at least 5Gbps line rate in a harsh environment.
>> >
>> > Thanks for introduce yourself. It should be a cool research area, for
>> sure!
>>
>> It sounds someone is able to write a possible new Umit application...
>> What you guys think about a personal NIDS (using UMPA)?
>>
>> >> The HTTP parser I built is aimed at measuring network latencies(match
>> the
>> >> request and response to get the time difference). I am experienced with
>> C
>> >> and specialized in network domain knowledge. Frankly speaking, I know
>> Python
>> >> a little and only wrote a few small programs with it. But I think I can
>> >> learn it quickly and use it in the development.
>>
>> It seems you are friend of statistical analysis. So, let me point out one
>> idea:
>> - It is possible to that my machine is being attacked by a port-scan?
>> - Even if the only information I have is the port's time access?
>>
>> > Indeed. If you already know C, enhance Python will not be an issue.
>> >
>> >>
>> >> So I want to do some work in the network domain and found the
>> "5. Packet
>> >> Tracker Platform" suitable for me. The "Jitter based" and
>> >> "Dipacket Inspection: inspect packet contents (e.g. HTTP contents)" is
>> >> related to my previous project.
>> >
>> > Sure. This idea is over network-domain, mainly focuses into
>> > packet analyses.
>> >
>> >>
>> >> However, I found this idea is not that specific. Maybe because my lack
>> of
>> >> domain knowledge or poor in English, I don't quite understand the
>> "Detect
>> >> packets with debit (e.g. more/less than 100Kb/s)"
>> >>
>> >> Can someone give me detailed information about this idea and where I
>> >> should begin with to learn something or make some contributions now?
>> >
>> > Yes, of course.
>> >
>> > Read http://trac.umitproject.org/wiki/PacketManipulator
>> > Checkout source of PacketManipulator
>> >
>> > svn co http://svn.umitproject.org/svnroot/umit/packet-manipulator/trunk
>> > PacketManipulator
>> >
>> > Read http://trac.umitproject.org/wiki/AuditFramework and related links
>> >
>> > In this idea, it expected to has a real-time statistic depend on the
>> amount
>> > of sniffed packets.
>> >
>> > Packets
>> > Multicast/Broadcast packets
>> > IPv4/IPv6
>> > Bytes
>> > Fragments
>> > Detect retransmissions/error packets
>> > Count of packets by protocol
>> > etc.
>> >
>> > Such information should presented in the GUI of PacketManipulator (for
>> > instance, expand Host Table into Packet Manipulator GUI).
>> > Also, the end-user should be able to configure an alarm/event, e.g. when
>> > detect a specific packet from/to a destination. Such details, should be
>> > exploit into the proposal. More tips:
>> >
>> > Define a threshold of utilization
>> > Define latency threshold
>> >
>> > Finally, to present a GSoC proposal take a look:
>> >
>> > http://www.umitproject.org/?active=gsoc&mode=ideas&lang=en
>> > http://www.umitproject.org/?active=gsoc&mode=tips&lang=en
>> > http://www.google-melange.com/gsoc/org/show/google/gsoc2011/umit
>> >
>> > I'm look forward to discussing more details about this proposal. If you
>> have
>> > any doubts, do not hesitate to contact us for further details.
>> >
>> >
>> >> Thanks a lot!
>> >> --Kay
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> Enable your software for Intel(R) Active Management Technology to meet
>> the
>> >> growing manageability and security demands of your customers.
>> Businesses
>> >> are taking advantage of Intel(R) vPro (TM) technology - will your
>> software
>> >> be a part of the solution? Download the Intel(R) Manageability Checker
>> >> today! http://p.sf.net/sfu/intel-dev2devmar
>> >> _______________________________________________
>> >> Umit-devel mailing list
>> >> [email protected]
>> >> https://lists.sourceforge.net/lists/listinfo/umit-devel
>> >>
>> >
>> >
>> > Best Regards,
>> > --
>> > Luís A. Bastião Silva
>> > Skype: koplabs
>> > http://www.bastiao.org
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Enable your software for Intel(R) Active Management Technology to meet
>> the
>> > growing manageability and security demands of your customers. Businesses
>> > are taking advantage of Intel(R) vPro (TM) technology - will your
>> software
>> > be a part of the solution? Download the Intel(R) Manageability Checker
>> > today! http://p.sf.net/sfu/intel-dev2devmar
>> > _______________________________________________
>> > Umit-devel mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/umit-devel
>>
>> --
>> Att, João Medeiros
>>
>
>
if you have any doubts, let us know. I'm look forward to know more details
about your proposal
Best Regards,
--
Luís A. Bastião Silva
Skype: koplabs
http://www.bastiao.org
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Umit-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/umit-devel
