[Owasp-appsensor-project] Attacker Profiling (was: DHS & Georgia Tech Grant Funding Potential)

Christian Bockermann chris at jwall.org
Wed Aug 14 10:48:08 UTC 2013


Hi Ryan, hi all!

I obviously like the idea of extending the AuditConsole with regard to the tracking
you mentioned. In fact, I have been preparing for session tracking the received events
some versions ago and the console itself provides an API for plugging in custom modules
as well.

The main task I see here is to come up with reasonable methodologies to do a session
based analysis of the data. If you carefully read through the mykonos post, you'll see
several steps involved:

   (1) provide a method for determining the attacker session
       (session tracking by IP, Cookies, whatever)

   (2) extract identifiable features during step (1) which allow for subsequent
       events to be associated with the identified attacker

   (3) An API for accessing the sessions and their associated information.

   (4) A method for generating nice names :-)


Part of (3) has already been integrated into the AuditConsole. Anyone volunteering for
step (4)? ;-)


I see the biggest issues with (1) and (2). Not from an implementation point of view,
but from a data analyst's POV. I'd be highly interested in collaborating here, as we
already do data analysis at the department I am employed.
My biggest concern here is the availability of data to develop and proper evaluate 
steps (1) and (2).


Regards,
     Chris



Am 13.08.2013 um 01:45 schrieb Ryan Barnett <ryan.barnett at owasp.org>:

> To John's point about reporting and visualization - we have similar issues on the ModSecurity front. Considering that we have implemented many AppSensor detection points within the OWASP ModSecurity CRS. We currently mainly use a tool called the audit console and it accepts ModSecurity audit log data. 
> 
> http://www.jwall.org/web/audit/console/index.jsp
> 
> You can search and sort in a variety of ways however in general I feel that there is much to do with regards to making these events meaningful for a security analyst. 
> 
> I don't really like the per- transaction views of most WAF alert data. I prefer more of an attacker-sequence view that shows paths of attacks or profiles the attacker a bit more. I actually like what Mykonos did with their dashboard - http://www.mykonossoftware.com/profile-the-attacker.php
> 
> I guess my point is that I agree that we need a better dashboard for these events but I am not sure if building one from scratch is the best use of time and resources. We could consider contributing to Audit Console to add features we need. 
> 
> --
> Ryan Barnett
> 
> 
> On Aug 12, 2013, at 2:49 PM, John Melton <jtmelton at gmail.com> wrote:
> 
>> I personally like the #2 idea. Getting the concept out is helpful, and seems like it would be very helpful, particularly within govt. circles. 
>> 
>> I really like the idea of sample applications using the implementation. From a development perspective, I also think it could be useful to build a reporting front-end for analysis by end-users. I am working on the engine piece and have a good handle on that, but the visualization of the data is probably an area that could use some love. However, these dev tasks might be a stretch to start now. 
>> 
>> If our proposal were accepted, when would the work begin? I think if the work started after the new year, I'd be comfortable proposing any of the dev ideas, but if sooner, I'd say go with just the documentation. 
>> 
>> 
>> On Mon, Aug 12, 2013 at 4:33 PM, Colin Watson <colin.watson at owasp.org> wrote:
>> I have discussed this a little with Samantha.  Apparently there is an
>> opportunity to fund marketing, promotion, reviewing, development, and
>> writing expense, but not for example travel.
>> 
>> A couple of suggestions:
>> 
>> 1.  fund a competition for the best implementation, demonstrations,
>> supporting applications (e.g. $5,000 first, three $2000 runners up and
>> five $1,000s plus some admin costs for running it?)
>> 
>> 2.  pay to print and distribute further copies of the upcoming v2
>> Guide (e.g. to give them away at developer events, perhaps in the US
>> only?)
>> 
>> But we have an opportunity to write this by end of tomorrow and submit
>> for 2013, or wait a year and do it in 2014. I think we should put some
>> sort of bid in, the question is what for. I can spend some time
>> tomorrow writing up, if other contributors on this list can provide a
>> steer as to what they think is achievable and might gain support. I
>> think both of the ideas above avoid paying volunteers.
>> 
>> Colin
>> 
>> 
>> On 12 August 2013 21:17, Samantha Groves <samantha.groves at owasp.org> wrote:
>> > Hello AppSensor Team,
>> >
>> > Colin has asked me to inform you that you currently have an opportunity to
>> > submit a proposal for grant funding from the Department of Homeland
>> > Security. See the HOST Website for more information. Additionally, see the
>> > grant page for more information on the grant opportunity.
>> >
>> > Please have a look and let me know if this is something you are interested
>> > in pursuing. Additionally, please share any ideas you may have on
>> > objectives, and activities that you would like to take part in for AppSensor
>> > with Grant support, if awarded.
>> >
>> > Thank you,
>> >
>> > SG.
>> >
>> > --
>> >
>> > Samantha Groves, MBA
>> >
>> > OWASP Projects Manager
>> >
>> >
>> > The OWASP Foundation
>> >
>> > Arizona, USA
>> >
>> > Email: samantha.groves at owasp.org
>> >
>> > Skype: samanthahz
>> >
>> >
>> > OWASP Global Projects
>> >
>> > Book a Meeting with Me
>> >
>> > OWASP Contact US Form
>> >
>> > New Project Application Form
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-appsensor-project mailing list
>> > Owasp-appsensor-project at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> >
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> 
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project



More information about the Owasp-appsensor-project mailing list