Saturday, February 20, 2010

Advice for Academic Researchers

A blog and book reader emailed the following question:

I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective.

My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be most critical in the next several years (especially in the eyes of the Dept. of Defense)?


I post this question because I'm sure blog readers will contribute interesting comments.

For my part, I'm really interested in the following: characterizing network traffic. In other words, develop tools and techniques to describe what is happening on the network. (I'm sure a few commercial vendors think they are doing this already, but nothing approaches the level that we really need.)

Without understanding what is happening, we can't decide if the activity is normal, suspicious, or malicious. Current approaches are far too primitive and limited. This work is not as "shiny" as developing a new detection algorithm, but getting back to basics is the sort of approach that could survive in a research environment.

5 comments:

CP said...

Agreed Richard.

It's really about using techniques such as analytics and business intelligence to understand not just the activity on the network, but also the behavior elements of who is communicating over the network.

The Ubiquitous Mr. Lovegroove said...

Data leak prevention tools

Martin said...

For the 1-3 year timeframe, I recommend developing a plugin for the new OISF Suricata or Snort engine which facilitates true Layer-7 decoding for very specific web apps. Specifically, I'd like to have rules that are Facebook, Hotmail, Gmail, etc. action specific. As in, a plugin that allows the creation of rules to say "alert when someone posts the same message to their entire contact list" for various web apps. Emerging Threats Snort sigs exist currently for generic Facebook message posts, but building a framework for quickly interpreting web apps is where the next-gen stuff needs to be. Flow tools are becoming irrelevant as malware increasingly uses legitimate web services to both propagate and operate.

Silvio Cesare said...

Internet traffic classification (using machine learning) is a research topic of a Phd student in our University group.

AD3L said...

I think using Honeypots for Botnet Detection/Tracking, Spambot/Webbot detection and so on, is a hot topic for research and develop..