Re: im interested in helping honeycomb+honeyd

[Valdis.Kletnieks () vt edu]

On Wed, 02 Jun 2004 08:20:16 PDT, ansiry fsktm <dcneting () yahoo com>  said:

> can u give me some idea where can i look into? i mean
> where can i use my AI in honeyd+honeycomb process..?

The two places that could most use the help:

1) Pattern recognition and data mining - there's a lot to be done in
this field to make volumes of data human-comprehensible.  For
instance, http://www.nersc.gov/security/TheSpinningCube.html leverages
our ability to spot patterns in plotted data - but there's still lots of room
for improvement.  In particular, being able to quickly decide whether a
given cluster of sensor detections is "random statistical noise" or "start
of mass attack" is critical - a DDoS can get to full blast in seconds, and
a worm be on a major burn in minutes...

2) Identifying/classifying a given packet that arrives at a sensor but does NOT
match an obvious attack template.  If it isn't a known exploit with a Snort
signature or other well-known definition, but does look "suspicious", quantify
the "suspicious".

No, I don't have a clue how to do either, or I would have already. :)

Attachment: _bin
Description: