barns.blog

With 2009 already under-way, progress is happening in my Masters at a steady pace. With just under six months to go until the end of July, my work is in full swing, with a mixture of writing, algorithmic construction, testing and other activities. Over the next month, most of the development work should be completed. This is, of course, somewhat dependant on my teaching not getting too much in the way.

Thereafter, my algorithms and the sfPortscan algorithm from Snort will be tested and statistically analysed. Thereafter, I plan on finalising my write-up and handing in.

In the interim, I have plans to submit papers to several conferences during the course of the year, the first list includes ISSA, RAID, SATNAC, SAICSIT and CISSE (in chronological order of submission dates). I also hope to get a journal article out during the course of the year.

So, onward with 2009…

After a stormy close to the conference, we have now returned and settled in Frontier Country. Overall, this was a very worthwhile experience. The conference closed with my presentation in Stream A and despite the fact that I was not asked any questions, I feel that it was a good presentation. Unfortunately, it was the only paper of its kind at the conference and was tacked onto a stream of IS papers. I know it went over the heads of some people.

The presented papers encompassed a wide variety of fields and it was interesting to see this variety and to get an idea of what research occurs in IS. Despite the fact that most of the research was of little interest to me, there are always those little gems which emerge from the conference. Its now time to get back into forward gear and concentrate on getting the next paper out…

It has been a while since I commented about anything that I am doing at the moment. This has mainly because I have been altogether too busy to write anything.

In a previous post I commented on how I almost worked myself to death in pursuit of submitting a half-decent paper to SAICSIT for their 2008 conference. Well, I was fairly happy with the submission that I did make, and so it was very rewarding to have it accepted.

Hannah, Colin and I will be attending SAICSIT later in the year and will get the opportunity to present our work at that forum. What was rewarding for this paper is that not only will it be indexed by the ACM, the comments on the proposed taxonomy were in agreement. This gives some credability to the process that I am currently taking in the development of my Scan-Detection engine.

Here comes October…

I have now submitted the camera-ready version of the ISSA Paper. It will be published under the title An Evaluation of Scan-Detection Algorithms in Network Intrusion Detection Systems.

Abstract:

Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro’s scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro.

This paper highlights current research into the improvement of these scan-detection algorithms and presents insight into how this research is being conducted at Rhodes University. This research will improve on the scan-detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.

I have submitted my Work In Progress Paper for SATNAC, under the title of An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems.

Abstract

Network Intrusion Detection is, in a modern network, a useful tool to detect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan detection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner.

Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes University in which these flaws are being addressed. In particular, this research will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into consideration the improvements which are identified over the course of the research.