[Dshieldannounce] DShield / ISC Research Feed

Johannes B. Ullrich jullrich at sans.org
Sat Jan 17 01:53:42 UTC 2004

[please use the discussion list or off-list email to reply]

From time to time, I am getting requests from researchers for access to
DShield data. While DShield data, with the exception of data that
could be used to identify submitters, is essentially "public", it has
been very time consuming to fulfill these requests. On the other hand,
I think it would be a waste not to share the data we collect more 
widely. For example, I have pointed to Vinod's papers in the past,
which have been very useful.

In particular to look at historic data more comprehensively, I would
like to solicit some outside help.

In order to help with this, I would like to start a discussion about
how to accomplish this best. I would like to establish a 'DShield/ISC
Research Feed'. Interested researchers can use this feed for their
research. In order to reduce load on our systems, I would hope that one
participant will establish a 'proxy', which others can use to pull the
data from.

A couple of objectives:
- The feed should provide as much information as possible, without 
  revealing submitter information. I would suggest that the target IP
  is encrypted (e.g. some form of md5hash). This way, the recipient
  will still be able to count distinct targets, which is an important
- Same for the userid: if the userid is included at all, it is 
  encrypted. Again, it is very useful to see if suspicious data is
  submitted by a particular user, or to observe how data for a
  particular user changed over time.
- All the other data would be sent 'as is'.

If there are any objections to this approach, please note so on our
public discussion list (list at dshield.org)

If you are interested in this research feed, or if you would like to
provide resources for it, please contact me off list.

DShield data will be made available free of charge for non-commercial
research. All results have to be made available to the public and
DShield or the Internet Storm Center have to be credited for the
data. If some research is particularly resource intensive, it may
be appropriate to contribute respective resources (hardware, time,
bandwidth) to the project.

As resources for this are limited, there may be a selection based
on the merit of the proposed analysis. I hope to establish a group
of reviewers if this should become necessary (at this point, its
the 'squeeky wheel' principle...)

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/dshieldannounce/attachments/20040116/02c620f2/attachment-0003.bin

More information about the Dshieldannounce mailing list