Re: Looking for a thesis topic in the area of IDS

["\"Zow\" Terry Brugger" <zow () acm org>]

> Botnet detection is a very hot topic. But it is very difficult to get hold of any network traces for experimentation.
>
> Recently Gu has done the first thesis on Botnet at Georgia Tech.

Yes, botnets have certainly become a lot more interesting than a lot
of the flash worms and the like we were seeing five years ago. A lot
of this is because they avoid detection so that they can keep on doing
their thing. Furthermore, a lot of them act more like trojans than
exploit code (relying on some user interaction), making signature
generation for them more difficult. Incidentally, Gu just started at
Texas A&M -- great guy, really sharp.

My interest is still in network based intrusion detection, and the
biggest problem in this arena is the lack of good datasets to test
from. Furthering this problem is that static datasets are no longer
sufficient for testing, given the rate at which network traffic
changes and how diverse different network segments are. A really
useful research project to this end would be a framework for
generating test datasets which could be tuned to generate different
traffic profiles for different environments. The trick to that is
verifying that the traffic the framework is generating is close enough
to real traffic to be useful: that's the topic of my current research,
and I'd be happy to talk to anyone on that topic at length.

Beyond that, I think an analysis of existing network traffic would be
useful. There is a great deal of debate regarding things such as how
much network traffic is malicious in nature? How much is benign, but
anomalous? How much malicious traffic is actually anomalous? There are
a number of studies of sources of anomalous network traffic: RFC 2525
is a good start, Floyd and Paxson "Difficulties in modeling the
Internet" and Bellovin's "Packets found on an internet" are others.
Most of these sources are getting somewhat dated, however, so you
might want to consider them guides in defining what is anomalous. A
study that could look at different network segments and attempt to
identify how much traffic was obviously benign (very difficult),
obviously malicious (signature of known malcode, but be careful: maybe
it's a legitimate vulnerability assessment!), and the many shades of
gray inbetween. The question of what correlation this has to the
"anomalousness" of a stream is prompted by Gates and Taylor,
"Challenging the Anomaly Detection Paradigm: A provocative
discussion", which raises other questions highly worthy of research.

Hope this helps!
Terry

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------