Monitoring / Visualisation Stations, & relevance of layer 4 traffic

Opinions sought from those working in the relevant areas - handed this document in as part of a degree project in security visualisation & monitoring, and the feedback was that the network and monitoring station/s are not realistic, and that I should have focused on port 80 and layer 7 traffic only, as layer 4 is not relevant any longer. The link provided below is only part of the document, I presume it's the part they had issues with. I wasn't actually intending to focus on web traffic, which was made clear in the document anyway (tho I did indicate to them that with the likes of Rumints packet contents visualiser, it is certainly viable to utilise that to match up with malware signature databases - but that aspect wasn't the focus of the project).
I don't expect it says anything that people working in those areas will be unaware of, and the general intention was to address what would be required for a monitoring station / network, which includes visualisation software, that would work in real-time as well as offline analysis and traffic capture.
The grouping into 'objectives' is just part of how the work has to be presented to comply with guidelines. Cheers for input, I know you're probably busy.

nb - the last part is probably wrong about ad-hoc IPs; I can't remember exactly right now how they are handed out; they probably aren't always dynamic esp. now it's more common to get fixed-IP SIMs.


Very good job

cheers. you know, one of the

cheers. you know, one of the real reasons they marked it down was cause they actually thought they can do weird mind-control abuses on me based on 'the matrix'...and so forth (they took a comment i made about the movies in it out of context, to turn it against me). i didn't really convey just how nasty and messed up what they were doing is. anyway...

Cheers, but I was looking

Cheers, but I was looking more for advice on whether what I had written about was accurate - cause they gave me a D for that part, and as far as my research etc went I'm not sure what it is they say isn't realistic about it. So for example, they didn't say if 'design a network monitoring station / network' made them expect perhaps all the exact IP ranges and configurations to an existing network.
As indicated, I know what I would have written about, had my project been about layer 7 web threats. But it wasn't; put it this way, in a previous section I covered what threats I was looking at, and they gave me an A for that bit.

See, in one section I included a part about enticing people to be more interested in security, and making it more attractive and comfortable to be working at monitoring stations; the overall gist was about why visualisation software makes it easier to convey information quickly and accurately than just using text-based monitoring. But they are saying that real-time visualisation doesn't exist, and they think because I mentioned some fictional GUI-representations that they could apply that one small paragraph to the rest of what I wrote about.

I did try explaining that often it's the other way around anyway; eg the Starlight desktop is arguably more the basis for designs of desktops as depicted in films, than the software is copying the movies. So I was looking more for real examples of real-time visualisation stations that I could show them do exist. I think they're trying to say that it's not realistic because I have the multiple monitors with different apps running in real-time - they seem to think I copied it from a film, so they can ignore all the technical aspects of what I wrote and the reasoning behind setting a station up that way (which can be used for offline data correlations anyway).

HTTP Payload anomaly detection

If you were told to get deeper into the application layer and specifically http you might find this interesting:

Take a look at it, its a definitely worth read