The pH evaluation project

29.10.2002
Here is a paper describing our apporach to combine two anomaly detection systems in a computer immunology compliant way.

This page is about my master thesis project: the evaluation of pH, an approach to the automated response problem. This research is mostly in the field of system administration, security and Computer Immunology.

The test environment consists of two machines. They are called romulus and remus. the mythical tale of the foundation of Rome.
These two machines are to be as identical as possible except that romulus has the pH kernel-module, and remus doesn't. They are currently running a basic Debian GNU/Linux (potato) installation. Here is a more detailed description of both machines and there configuration.

Phase 1
This is the initial testing phase, where we intend to find out how different our two test-machines are. They are at this phase not under any extra load, and have been monitored in over sixty days doing "nothing". The monitoring is done by logging system-activity to a datafile, using this command:

date > vmstat.log ; vmstat 30 >> vmstat.log &

After the logging-period, the files where copied from the machines, and parsed. The machines are now running a 2.2.19 kernel with the same configuration as the previous kernel except that one of them (romulus) has the pH patched kernel. PH is still inactive, and we should therefore get similar results to the previous test.

Here is a plot that shows the "free" variable of the vmstat-output. In other words, it shows how much memory is available on both machines. For more statistics on these numbers, please take a look at stat_result.

Texts

Essay.ps

Scripts:

These are some scripts i use to parse the files generated by vmstat.
descriptive
generate
job.gp
prepare_for_plot

Output files and plots:

stat_result

Datafiles:

vmstat.remus (14MB)
vmstat.romulus (14MB)