[Owasp-appsensor-project] GSoC 2016 Trend Monitoring Analysis Engine

John Melton jtmelton at gmail.com
Mon Mar 7 04:37:56 UTC 2016


Hi, and thanks so much for your email. I've responded with specific
comments inline below.


On Sun, Mar 6, 2016 at 1:58 PM, Timothy Sum Hon Mun <timothy22000 at gmail.com>

> Hi all,
> Firstly, congratulations on OWASP being accepted for GSoC 2016!!
> My name is Timothy Sum and I am from Malaysia. I am currently a final year
> MSc Computer Science student studying at University of Kent in the UK. I
> have experience in Java, Javascript, Python, Node.js, MongoDB, AWS,
> Jenkins, Git workflow, Dropwizard, Logstash, Apache Spark (MSc
> dissertation) and others, I am always keen to learn new technologies and
> try things outside my comfort zone!
> I am currently undergoing my placement (where I gained most of my
> experience from) which will be concluded on the 31st March 2016. I will be
> working full time on the weekdays before then. Therefore, I will do my
> research about the project and prepare my proposal typically at night or
> during the weekends. After my placement finishes, I will be able to
> completely commit to GSoC by researching, learning and experimenting about
> gaps in my knowledge during April even before the community bonding period.
> I’ll have a written report to write about my placement that is due on June
> 2016 but I can do that while coding over the summer!
> I just recently stumbled over GSoC 3 days ago and have been looking
> through the project list to decide which project I should go for. This will
> be my first time contributing to an open source project and I am very hyped
> up about it as I get to learn from a mentor and contribute at the same
> time. :) I also do not mind having skype/hangout discussion with mentors
> regularly to discuss about my progress.

Yes, skype/hangouts is the normal way we communicate. I generally aim for
meetings 2-3 times a week so we can make sure we're making forward progress
and then use email in between meetings for specific questions.

> I am interested in the Trend Monitoring Analysis Engine project for OWASP
> AppSensor and would be excited if I can work on it. I do not have a
> background in application security and intrusion detection but am highly
> interested learning about it. So far, I have:

Fantastic. Honestly, a background in spark / machine learning will be more

> i) Read the Chapter 3 and Chapter 4 of the OWASP guide briefly and
> understand the approach behind AppSensor, its high level architecture
> (detection and response unit), its pattern (Event, EventManager,
> EventAnalysisEngine and so on)
> ii) Manage to get a demo running locally as per the AppSensor Demo Setup
> guide (
> https://github.com/jtmelton/appsensor/blob/master/sample-apps/DemoSetup.md).
> Had a little bump with a mongo test failing when doing mvn install but got
> it to work in the end. Went through part of the codebase while doing this.
> iii) Research on trend monitoring analysis techniques. It seems that trend
> analysis falls into anomaly detection based on my understanding so far but
> feel free to correct me (will expand in the section below). It would be
> great if you recommend me additional papers/books to read to learn more on
> this topic.
> Did a first pass on two papers that cover general topics in IDS:
> http://galaxy.cs.lamar.edu/~bsun/seminar/example_papers/IDS_taxonomy.pdf
> http://www.ijcset.net/docs/Volumes/volume2issue4/ijcset2012020419.pdf
There is not much literature specific to application intrusion detection.
The concept is roughly based on network IDS systems. It is mostly
transferring those concepts to the application layer, and looking for
activity that is not possible (or is much harder) to detect at the network
layer, but is possible (or much easier) at the application layer.

> Currently, I have given it some thought and my high level understanding of
> the expected deliverables are:
> i)  A trend monitoring analysis engine - Extend the analysis-engines
> package and add tests. Depending on which implementation strategies to use,
> it seems that I would have to record the “normal” behaviour pattern of a
> system and then trigger a response if the application behaves out of the
> norm which will be defined by the trending rules.

I think of 2 possible approaches:
- *simple trending engine* - this would be an implementation that would
essentially do some simple counting. An example here might be that we have
seen the occurrence of detection point ABC go up 500% in the last hour over
the "normal" usage. This would likely be pretty straightforward, and could
use something like a time series database to track the metadata, and do
some very fast analysis.
- *machine learning engine* - this is a more complex implementation. This
would involve creating a ML style engine that would allow for various types
of analysis. An example might be noticing a shift in the composition of
HTTP verb usage for a given time period. If you decide to go this route, I
think you'll want to be very specific with the types of analysis you want
to provide, and focus on doing great documentation about how to build rules
based on training data and the algorithm selection process.

> ii)  Associated configuration mechanism to specify the trending
> rules/policy - Extend the configuration mode package, create respective
> xml and xsd configuration for the Trend Monitoring analysis engine.
> iii) A small full sample demo application showing usage of the trend
> monitoring feature. - Built on the existing demo application?
Yes, these would be the 3 basic outputs for that project, along with the
associated documentation. Additionally, I would say that we should produce
a small number of rules. That will be necessary for the demo application
anyways, but we can use those rules as examples for the community. As for
the demo application, it's very small and trivial. We actually have a user
who built a demo application for a talk about appsensor that is likely a
much better fit (https://github.com/dschadow/ApplicationIntrusionDetection)

> It would be great if the mentor/team can give me feedback on my ideas and
> things to read to expand my knowledge in this domain. If there is any task
> that you would like me to complete, I am eager to do it and will find time
> at night or the weekends to complete it.

I think what I'd be most interested in is if you could let us know which
approach (simple trending, machine learning) you would prefer to take when
building the analysis engine. Beyond that, I think your skillset looks well
suited to the project.

> I would also like to start preparing my project proposal to be able to
> share with the mailing list to get feedback as this will be my first time
> applying for GSoC and I will need all the help I can get!!

Sounds great. I think your notes in this email are a very solid start. To
build a good proposal, I think the most important thing to do is scope the
work. Try to build a detailed plan (ie. what task(s) you will accomplish
each week). After that, we can review it and make suggestions about whether
or not we think you should try to do more or less work, and what parts may
be tricky. It will also help us know which mentor(s) to bring onto the

> Thanks for your time and look forward to your feedbacks/replies. This
> young padawan needs guidance. :D
Thank you!

> I have also started a topic in the OWASP GSoC group.
> https://groups.google.com/forum/?fromgroups#!topic/owasp-gsoc/59vAa402jXo
> Kind Regards,
> Tim
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20160306/e318b1fd/attachment-0001.html>

More information about the Owasp-appsensor-project mailing list