Part of my Master t...
 
Notifications
Clear all

Part of my Master thesis

6 Posts
2 Users
0 Likes
296 Views
(@omajiman)
Posts: 12
Active Member
Topic starter
 

Hello Dear!

I am in process of starting my master thesis in the area of network and system forensics, i am trying automate the correlation of intrusion evidence from honeypot and also network and to carry out intrusion analysis from logs generated from honeypot and network as well as from the network traffic.
I am also trying to provide a mathematical model for the timestamps and timeline generated, to predict the trends of invasion and intrusion. but i do not know which mathematical model to use.
Please i need your support and experience to do this.
Best regards!

 
Posted : 10/11/2014 12:56 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

…. to carry out intrusion analysis from logs generated from honeypot and network as well as from the network traffic.

Which actual kind of data you have?

I am also trying to provide a mathematical model for the timestamps and timeline generated, to predict the trends of invasion and intrusion. but i do not know which mathematical model to use.

The usual approach is - based on HUGE amounts of data available - to try applying several different models and see which one creates a "pattern" more similar to the actual data.

I don't think there is a "pre-made" specific mathematical model (or if there is one, it would seriously undermine the "research" aspect of the thesis).

I mean, what is the actual "new" findings that you expect or are looking for?

jaclaz

 
Posted : 10/11/2014 4:36 pm
(@omajiman)
Posts: 12
Active Member
Topic starter
 

I mean, what is the actual "new" findings that you expect or are looking for?

I am trying to get the behavior of the timeline(or timestamps) to predict the progress of intrusion and also a model to synchronized clock time among different log generating sensors(or devices).

 
Posted : 10/11/2014 10:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am trying to get the behavior of the timeline(or timestamps) to predict the progress of intrusion and also a model to synchronized clock time among different log generating sensors(or devices).

Whooosh! (that was the sound of the above just passing way over my head) 😯 .

Can you try explaining in simpler words, or possibly with an example?

Wouldn't *any* internet connected device be - more or less- NTP time synchronized to a given NTP server? ?

jaclaz

 
Posted : 11/11/2014 1:10 am
(@omajiman)
Posts: 12
Active Member
Topic starter
 

What i meant was that since i am collecting evidence from honeypot and network and since it involves both evidence from the network(traffic) and the system(syslog), the clock synchronization might not be similar since some may be UTC or NTP. I trying to model clock synchronization of both devices, to check some variance(backward or forward) in clock time. and use the timestamps model for predicting the progress of intrusion.

 
Posted : 11/11/2014 8:08 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

What i meant was that since i am collecting evidence from honeypot and network and since it involves both evidence from the network(traffic) and the system(syslog), the clock synchronization might not be similar since some may be UTC or NTP. I trying to model clock synchronization of both devices, to check some variance(backward or forward) in clock time. and use the timestamps model for predicting the progress of intrusion.

Hmmm.
I don't know.
I still believe that in order to do "proper" transactions the "system" would be synchronized to the NTP time (which actually is UTC), whether records in logs would be expressed in UTC, local time or "whatever else" should be just a matter of conversion (like with a different epoch).
Very small time differences (by very small I mean under 1 second or so) are AFAICR "below" the "accuracy" of the most common MS Operating Systems NTP synchronization services, at least the good MS guys have a disclaimer about this
http//support.microsoft.com/kb/939322/en-us

jaclaz

 
Posted : 11/11/2014 4:07 pm
Share: