barns.blog

Writing code to draw graphs rather than using a tool such as Visio sounds like a dream come true, but it comes at a price. Graphviz is a nifty tool which does just this. In this sense, I refer to real graphs, those which have nodes and edges connect nodes together.

Conceptually, and practically, it works pretty well, but its layout engine does not always produce something visually appealing, or simple. It tool a wile to discover how to force it to draw nodes in a specific order. It turns out that you connect them with an edge. Sounds silly to add unwanted edges, but you can tell Grahviz that these nodes are invisible. This allows the problem to be solved.

In practice, it still takes forever to do, as it really is a trial and error process. Despite this, it still produces very nice graphics. Unfortunately it cant produce EPS out of the box, but it will create PostScript. If you use the “ps” type (rather than the “ps2″ type) it is a simple matter of running ps2epsi on it.

I have now submitted the camera-ready version of the ISSA Paper. It will be published under the title An Evaluation of Scan-Detection Algorithms in Network Intrusion Detection Systems.

Abstract:

Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro’s scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro.

This paper highlights current research into the improvement of these scan-detection algorithms and presents insight into how this research is being conducted at Rhodes University. This research will improve on the scan-detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.

Yesterday, I was looking at the VMware site with an intention of getting VMware Server 2 (Beta) and posibly getting pricing for Workstation and ESX Server. As all of this revolves about some of my research, I found myself looking at the VMware Academic Program.

This program allows Universities to obtain VMware software free of charge for research purposes. Of even more interest, it permits publications on this research without prior concent from VMware themselves. This is a major shift from what I was doing last year, and should allow me to redo my work for publishing purposes.

Barry has applied for the program and we should hear back from them within the next week. Read more about the program here.

I have submitted my Work In Progress Paper for SATNAC, under the title of An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems.

Abstract

Network Intrusion Detection is, in a modern network, a useful tool to detect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan detection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner.

Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes University in which these flaws are being addressed. In particular, this research will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into consideration the improvements which are identified over the course of the research.

As promised, ISSA got back to us today with the result of submissions to this years conference. My submission was accepted as a work in progress paper. It was submitted as a work in progress paper and so I am more than satisfied with the result.

It is also good to receive some feedback on the paper from the reviewers. Most notably, a discussion was given on the lack of discussion over the InetVis image, and the scope of the new work in relation to the related work section. Unfortunately, I feel that one of the reviewers did not consider the paper in the context of a work in progress submission and so not all of the feedback was useful.

Altogether a worthwhile result and so I guess a trip to JHB in July is now required…