Author Archives: Roger

My Master Thesis: Slow Port Scanning with Bro

Posted on by

Abstract

Today’s society relies on computer networks. More and more data of vital importance are transmitted over them each day. Because of that, networks have become an interesting target for attackers, from ordinary criminals to foreign organizations and states. This has forced equipment providers and network administrators to make computer networks more robust. To this end, various countermeasures against cyber attacks are performed. One of the most commonly used ones is application of Intrusion Detection Systems (IDS). These systems are capable of classifying network traffic into several categories, according to the traffic features determined in advance. The basic classification performed by them is the classification in two classes – benign traffic and malicious traffic.

The classification methods that IDS implement are different, but classic pattern/signature matching and statistical parametric decision making are used very often. According to the intrusion detection model, IDS are classified into two categories: misuse detection systems and anomaly detection systems. Misuse detection systems use a database of known attacks and report if they recognize signatures of known attacks in the incoming traffic. Anomaly detection systems define profiles of normal host/network behavior and report discrepancies from that.

This thesis concentrates on methods of detection of special kind of reconnaissance activity in computer networks – so called port scanning, which tries to determine what services are active on a target host. In addition, the scans are considered slow – this means that the time delay between scanning two ports is relatively long – from several minutes to several days. The IDS of particular interest in this context is Bro – an open-source system that detects intrusions by semantic, highly stateful traffic analysis. This system also has advanced protocol detection capabilities. It can be configured to be either misuse or anomaly detection system, even a combination of both at the same time. As such, it has attracted much attraction of the scientific community in the recent years. The goal of the thesis is to develop a method for slow port scanning detection with Bro and compare the capabilities of the new method with slow port scanning detection methods applied on other IDS, especially in the presence of noise.

Link to my study: Master in Information Security – Gjøvik University College

LaTeX – a three phase love story

Posted on by

I can’t remember when I first met \LaTeX, but it was not love at first sight. I remember thinking: “Why do it this difficult when it exists free word processing alternatives like OpenOffice?”. This first meeting must have been in early 90’s. After this initial face I just avoided LaTeX in general (no, I’m for sure not a programmer).

When I started studying in fall 2010 I was again challenged by LaTeX code. The college had a liberal policy regarding what word processor we could use, but almost all professors strongly encourage us to learn LaTeX. All students felt a bit trapped by this informal pressure of using LaTeX. By using LaTeX you write the raw text almost as HTML code and compile this into a viewable & portable document (e.g. DVI, PS or PDF). Nevertheless, I decided early in first semester to give LaTeX a chance. I was curious about why people was so enthusiastic regarding this odd (and perhaps troublesome) way to produce documents.

I manage rather quickly to get a LaTeX environment up and running on my local Windows XP based computer. My choice was MikTeX as the distribution and TexMaker as the editor. The distribution are collections of packages and programs (compilers, fonts, and macro packages).  This phase included several strange deadlocks situations that also learned me troubleshooting. Backup is crucial! I now was able to easily recognize documents that was produced by LaTeX. These documents have often the same sharp times font and are very professional (academic) looking. In this learning phase I ended up fiddling around my LaTeX code and spent much more time creating text than I would with an old mechanic typewriter, however – I was starting to get a grip on LaTeX. No doubt, learning LaTeX made me swear from time to time.

LaTeX example – code (math mode): f(x) = f(a) + (x-a)f'(a) + {(x-a)^2 \over 2} f”(a) + \cdots = \sum_{i=0}^\infty {(x-a)^i \over i!} f^{(i)}(a)

LaTeX example – compiled result: f(x) = f(a) + (x-a)f'(a) + {(x-a)^2 \over 2} f''(a) + \cdots = \sum_{i=0}^\infty {(x-a)^i \over i!} f^{(i)}(a)

Writing on my thesis these days makes me happy writing in LaTeX. The code fiddling are (almost) non existent. I do occasionally test out new packages/templates/styles and play around to see what they are capable of. Good backup routines is always crucial whatever application you use. The power of LaTeX is pure fun! The initial time used in learning LaTeX is a good investment for producing documents, especially in academic work. Today, I consider myself a LaTeX fan and understand fully why so many people use it!

There are tons of LaTeX documentations and tutorials on Internet. Some initial search may end up with pages including plastic wrapped curvy girls, but you soon narrow down the search to get helpful documents online.

Please visit Tex User Group’s Showcase: http://www.tug.org/texshowcase/ and WordPress support for LaTeX http://en.support.wordpress.com/latex/

Roger L

Sorting IP addresses in MS Excel

Posted on by

Yess – I finally got my Microsoft Excel 2010 formula working.  My local settings use semicolon (“;”) instead of comma (“,”) that was used on this source at Microsoft forum (short link: http://littleurl.info/j1p).  Thanks to Zorvek.

  1. Place the IP addresses You want to sort in colum A
  2. Place the formula below in column B
  3. Sort Your columns with B as the sorting key.
  4. Voilà – You manage hopefully to sort IP addresses correctly!

Norwegian regional settings (semicolon “;”)

<br>=MID("00"&amp;+A1;LEFT(FIND(".";A1)-1);3) &amp;"."&amp; RIGHT("00"&amp;MID(A1;FIND(".";A1)+1;FIND("|";SUBSTITUTE(A1;".";"|";2))-FIND(".";A1)-1);3) &amp;"."&amp; RIGHT("00"&amp;MID(A1;FIND("|";SUBSTITUTE(A1;".";"|";2))+1;FIND("|";SUBSTITUTE(A1&amp;".";".";"|";3))-FIND("|";SUBSTITUTE(A1;".";"|";2))-1);3) &amp;"."&amp; RIGHT("00"&amp;RIGHT(A1;LEN(A1)-FIND("|";SUBSTITUTE(A1;".";"|";LEN(A1)-LEN(SUBSTITUTE(A1;".";"")))));3)<br>

England / U.S.A. regional settings (comma “.”)

<br>=MID("00"&amp;+A1,LEFT(FIND(".",A1)-1),3) &amp;"."&amp; RIGHT("00"&amp;MID(A1,FIND(".",A1)+1,FIND("|",SUBSTITUTE(A1,".","|",2))-FIND(".",A1)-1),3) &amp;"."&amp; RIGHT("00"&amp;MID(A1,FIND("|",SUBSTITUTE(A1,".","|",2))+1,FIND("|",SUBSTITUTE(A1&amp;".",".","|",3))-FIND("|",SUBSTITUTE(A1,".","|",2))-1),3) &amp;"."&amp; RIGHT("00"&amp;RIGHT(A1,LEN(A1)-FIND("|",SUBSTITUTE(A1,".","|",LEN(A1)-LEN(SUBSTITUTE(A1,".",""))))),3)<br>