[Dshield] Duplication of Data

David Kennedy CISSP david.kennedy at acm.org
Mon Jul 9 12:00:00 GMT 2001


Do DShield, Mynewatchman and Incidents cooperate to reduce the amount
of probe/intrusion reporting that's duplicated among them?  I see
from DS' home page some 24M lines of data, but no clear indication of
# of reporting agents.  MNW reports 600-odd agents.  It's unclear
where Incidents gets data other than from DS and MNW.  With only 600
agents, it would not take a great deal of duplication to skew the

For example, #5 on the DS top 10 list now is 80/TCP with ~5K
reports/day.  But #4 is FTP which also has had days with only ~5K of
reports.  If 1/3 of MNW's reports are also duplicated on DS, it could
skew the results compiled by Incidents.  If the numbers are still
small now, perhaps now is the best time to address this before the
numbers get too large to scale a fix?

Suggestion:  Just ask reporters not to duplicate their submissions;
put a note on the DS registration and client download pages asking
that the data only be reported to DS.  If you want to get
sophisticated have the clients look in default locations for each
other.  If another client is found either return an error to the user
or include the error in the log submission.

Version: PGP Personal Privacy 6.5.8
Comment: When was the last time you backed-up your hard drive?



David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.

More information about the list mailing list