Final Year Project Ideas

["Reena Pau" <rp302 () ecs soton ac uk>]

Hi,
I am currently at southampton uni, uk. I have jst completed my second year
research project on honeypots and how they are contributing to fight against
cyber crime. I would like to develop this project alot further in the third
year for my final year project! I am however stuck for ideas..... I have got
unlimited uni resources (the ecs departemetn is amazing here at southampton
uni)..... so its just a case of getting ideas. I am particularly intrested
in the psychology of hacking...etc

Lance I dont know if this e-mail is for too 'basic'  or inappropriate for
teh forum!

ANY ideas would be fab!!!
Regards
Reena






----- Original Message -----
From: "Dan Hawrylkiw" <idontcheckthisaccount () panira net>
To: "'dcneting'" <ansiry () tm net my>; <focus-virus () securityfocus com>;
<honeypots () securityfocus com>
Sent: Thursday, May 13, 2004 8:28 AM
Subject: RE: any other tool to detect worm?


> The most appropriate answer to your questions depends on 1.)what
> information you want, 2.)how much you're willing to configure
> (preparation), and 3.)the amount of analysis you're willing to put into
> it (sustaining).
>
> For myself:
> 1.) When a new worm hits, I want to know how it gets into the victim,
> what it does to the victim, and how it scans/propagates.  I also want
> network traces and code samples.  Oh yeah- I also want to be notified
> within a couple minutes after this happens. :)
> 2.) I'm willing to do pre-work if it reduces the day-to-day analysis
> required
> 3.) I do everything possible to avoid having to review the same old
> boring noise (scans, probes, and failed exploit attempts) on a daily
> basis.
>
> I'll spare the list from one of my diatribes on signature-based IDS' and
> worms.  By itself, signature based NIDS is hit-and-(usually)miss against
> new worms.  On a typical network, you *can* increase your ability to
> pick up anomalous traffic, but the cost is a substantial increase in
> alerts that must be reviewed.
>
> If NIDS is used to monitor a honeypot, several new options open up.  It
> isn't too difficult to filter out the everyday noise and capture
> everything else.  I monitor my honeypots with SNORT, but I create pass
> rules for everything I don't care about- including scans against closed
> ports, old worm attacks that the honeypot isn't vulnerable to, and
> script kiddie noise.  Everything that isn't filtered will either be
> picked up in the current ruleset or the catchall rules I've configured.
> Basically, my honeypots are monitored by an 'inverse' NIDS that alerts
> on everything except scans and well-known attacks.
>
> As far as honeypots designed to detect or capture new worms; there's
> only one way to go, and that's high-interaction.  The only way to
> emulate an OS' response to an unknown attack is to, --well--, use *the*
> OS!  I prefer to run vulnerable machines in VMware and have the host OS
> perform additional monitoring.  For worm detecting honeypots, I
> typically set up Windows 2000 machines and leave them several months
> behind on patches.  If you're interested in capturing attacks against a
> specific critical update, make sure the honeypot is patched against
> everything but that update.  I usually enable auditing on the honeypot
> and configure the host OS to capture all packets sent to/from the guest
> OS.  I run scripts that parse the monitored traffic and trigger when the
> guest OS starts talking on the network.  (You probably won't want to
> trigger on reset packets, ICMP errors/replies, and responses to simple
> probes.)  After the monitoring script triggers, it shuts down Vmware,
> pages me with the last 2-3 packets, and shuts down the host OS.
>
> Yeah, sure, you can do inline filtering, use HIDS, run tripwire, etc,
> etc.  The point is that NIDS and honeypots work well together.  What I
> mentioned above has been rather successful at detecting new worms, and
> rarely falls prey to hackers playing with the 'latest sploits' before a
> worm is released.
>
> /Dan Hawrylkiw, CISSP, GCIA, RHCE
> Phoenix Area Network Intrusion Research Alliance
>
>   "to have good ideas, you have to have a lot of ideas"
> -Linus Pauling
>
> -----Original Message-----
> From: dcneting [mailto:ansiry () tm net my]
> Sent: Friday, April 30, 2004 5:20 PM
> To: focus-virus () securityfocus com; honeypots () securityfocus com
> Subject: any other tool to detect worm?
>
>
>
>
> ________________________________
>
> From: dcneting [mailto:ansiry () tm net my]
> Sent: Saturday, May 01, 2004 8:18 AM
> To: 'focus-virus () securityfocus com'
> Subject: any other tool to detect worm?
>
>
> is there any tools that i can use to just detect worm-like activity
> besides that using honeyd? if there is, how can i use it to detect
> worms(known and
> unknown) preferably open source platform.