RE: IDS PhD resarch query

["Stuart Staniford" <stuart () nevisnetworks com>]

> Dear all,
>  
> I am intending to pursue my PhD in computer security. 
>  
> Has anyone got any experience in what it takes to do a PhD?

> I need to refine an area of research. There are so many areas 
> and i don't want to pick an area that may get solved while i 
> do my PhD and hence render my work useless. This will always 
> be an issues i guess!

The choice of what to work on is the most critical choice a researcher
makes. 

The bad news is that as a beginning graduate student you won't have enough
knowledge of the field to make good judgements about this (independent of
how smart or creative you are, you just won't have the knowledge base).  If
you try to pick a thesis topic entirely by yourself, or with advice off a
mailing list, your chances of being successful are quite poor.

It is your PhD advisor's task to help you.  Your first step is to find the
best advisor who will take you as a student.  What you want is someone who
has already proven their ability to make creative contributions to intrusion
detection research, and who you personally like enough to feel like you can
work with them for several years.

A very crude metric that is easy to do is go to scholar.google.com and do a
search on "intrusion detection".  People who are authors on multiple papers
with more than a handful of citations are possible candidates to be a decent
advisor.  Top people have many papers, some with hundreds of citations, but
they will generally only take extremely bright and creative students (and
their judgement of a student's potential is likely to be quite good).
You'll have to be the judge of what your level is.

Networking can help.  Professors who you have a good relationship with may
be able to suggest others they know.

Your other main job as a beginning student is to learn the field.  You need
to read as much of the literature (both classic papers and recent trends) as
you can.  Try to read academic papers (scholar.google.com is again a guide
to what has been influential) but also the output of the blackhat community
(Phrack is a good place to start), and security researchers at vendors (eg
the kinds of papers posted on SecurityFocus).  They are three very different
worlds but all of them need to be understood to have a realistic
understanding of intrusion detection.

Stuart.


--------------------------------------------------------------------------
Stop hurting your network!

The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------