Thereafter, my algorithms and the sfPortscan algorithm from Snort will be tested and statistically analysed. Thereafter, I plan on finalising my write-up and handing in.

In the interim, I have plans to submit papers to several conferences during the course of the year, the first list includes ISSA, RAID, SATNAC, SAICSIT and CISSE (in chronological order of submission dates). I also hope to get a journal article out during the course of the year.

So, onward with 2009…

The presented papers encompassed a wide variety of fields and it was interesting to see this variety and to get an idea of what research occurs in IS. Despite the fact that most of the research was of little interest to me, there are always those little gems which emerge from the conference. Its now time to get back into forward gear and concentrate on getting the next paper out…

Firstly, we drove down on Sunday and had a wonderful relaxed drive. We stopped for lunch at Storms River and then visited the Tsitsikamma Big Tree. We have enjoyed a good social atmosphere with a large group of people from both the CS and IS departments and it has been enjoyable interacting with them all on a social level. As Kevin observed last night: Three generations of Computing Sciences at one table.

The Masters and Doctoral Symposium yesterday was rather rewarding even for those of us who were not participating in it. I took a few things away from it which could be tackled in the Department or actually at Rhodes in general. The following general comments were made:

• Students frequently don’t structure their research objectives (research question) properly.
• Some of the work being conducted was not research in the sense that students are not illustrating what their work is achieving. In particular, a software project is not a research goal.
• Students need to be more articulate about what is their research and what was others research. Here they also need to sell the research.
• Also, it is important in the research to answer the questions WHAT, WHY, HOW and most importantly, the SO WHAT.

My presentation will be rather different as I was not contributing in the M&D, but rather to SAICSIT itself. This means that I am unlikely to get as much feedback from the audience, but also less criticism.

The presentations today were of mixed value to me, but the most interesting was a discussion of high performance scientific computing using the Amazon EC2. It left me with a few ideas.

The conference hotel is reasonable, but not outstanding. Last nights cruise from Knysna to the Featherbed Nature Reserve and supper in the trees was absolutely superb and will be one of the highlights of the conference.

In a previous post I commented on how I almost worked myself to death in pursuit of submitting a half-decent paper to SAICSIT for their 2008 conference. Well, I was fairly happy with the submission that I did make, and so it was very rewarding to have it accepted.

Hannah, Colin and I will be attending SAICSIT later in the year and will get the opportunity to present our work at that forum. What was rewarding for this paper is that not only will it be indexed by the ACM, the comments on the proposed taxonomy were in agreement. This gives some credability to the process that I am currently taking in the development of my Scan-Detection engine.

Here comes October…

Its now completed under its new title, “Towards a Taxonomy of Network Scanning Techniques”

Abstract:

Network scanning is a common reconnaissance activity in network intrusion. Despite this, it’s classifcation remains vague and detection systems in current Network Intrusion Detection Systems are incapable of detecting many forms of scanning traffic.

This paper presents a classifcation of network scanning and illustrates how complex and varied this activity is. The presented classifcation extends previous, well known, definitions of scanning traffic in a manner which refects this complexity.

Conceptually, and practically, it works pretty well, but its layout engine does not always produce something visually appealing, or simple. It tool a wile to discover how to force it to draw nodes in a specific order. It turns out that you connect them with an edge. Sounds silly to add unwanted edges, but you can tell Grahviz that these nodes are invisible. This allows the problem to be solved.

In practice, it still takes forever to do, as it really is a trial and error process. Despite this, it still produces very nice graphics. Unfortunately it cant produce EPS out of the box, but it will create PostScript. If you use the “ps” type (rather than the “ps2″ type) it is a simple matter of running ps2epsi on it.

Abstract:

Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro’s scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro.

This paper highlights current research into the improvement of these scan-detection algorithms and presents insight into how this research is being conducted at Rhodes University. This research will improve on the scan-detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.

This program allows Universities to obtain VMware software free of charge for research purposes. Of even more interest, it permits publications on this research without prior concent from VMware themselves. This is a major shift from what I was doing last year, and should allow me to redo my work for publishing purposes.

Barry has applied for the program and we should hear back from them within the next week. Read more about the program here.

Abstract

Network Intrusion Detection is, in a modern network, a useful tool to detect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan detection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner.

Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes University in which these flaws are being addressed. In particular, this research will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into consideration the improvements which are identified over the course of the research.

It is also good to receive some feedback on the paper from the reviewers. Most notably, a discussion was given on the lack of discussion over the InetVis image, and the scope of the new work in relation to the related work section. Unfortunately, I feel that one of the reviewers did not consider the paper in the context of a work in progress submission and so not all of the feedback was useful.

Altogether a worthwhile result and so I guess a trip to JHB in July is now required…