Background: #fff
Foreground: #000
PrimaryPale: #8cf
PrimaryLight: #18f
PrimaryMid: #04b
PrimaryDark: #014
SecondaryPale: #ffc
SecondaryLight: #fe8
SecondaryMid: #db4
SecondaryDark: #841
TertiaryPale: #eee
TertiaryLight: #ccc
TertiaryMid: #999
TertiaryDark: #666
Error: #f88
/*{{{*/
body {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}

a {color:[[ColorPalette::PrimaryMid]];}
a:hover {background-color:[[ColorPalette::PrimaryMid]]; color:[[ColorPalette::Background]];}
a img {border:0;}

h1,h2,h3,h4,h5,h6 {color:[[ColorPalette::SecondaryDark]]; background:transparent;}
h1 {border-bottom:2px solid [[ColorPalette::TertiaryLight]];}
h2,h3 {border-bottom:1px solid [[ColorPalette::TertiaryLight]];}

.button {color:[[ColorPalette::PrimaryDark]]; border:1px solid [[ColorPalette::Background]];}
.button:hover {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::SecondaryLight]]; border-color:[[ColorPalette::SecondaryMid]];}
.button:active {color:[[ColorPalette::Background]]; background:[[ColorPalette::SecondaryMid]]; border:1px solid [[ColorPalette::SecondaryDark]];}

.header {background:[[ColorPalette::PrimaryMid]];}
.headerShadow {color:[[ColorPalette::Foreground]];}
.headerShadow a {font-weight:normal; color:[[ColorPalette::Foreground]];}
.headerForeground {color:[[ColorPalette::Background]];}
.headerForeground a {font-weight:normal; color:[[ColorPalette::PrimaryPale]];}

.tabSelected{color:[[ColorPalette::PrimaryDark]];
	background:[[ColorPalette::TertiaryPale]];
	border-left:1px solid [[ColorPalette::TertiaryLight]];
	border-top:1px solid [[ColorPalette::TertiaryLight]];
	border-right:1px solid [[ColorPalette::TertiaryLight]];
}
.tabUnselected {color:[[ColorPalette::Background]]; background:[[ColorPalette::TertiaryMid]];}
.tabContents {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::TertiaryPale]]; border:1px solid [[ColorPalette::TertiaryLight]];}
.tabContents .button {border:0;}

#sidebar {}
#sidebarOptions input {border:1px solid [[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel {background:[[ColorPalette::PrimaryPale]];}
#sidebarOptions .sliderPanel a {border:none;color:[[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel a:hover {color:[[ColorPalette::Background]]; background:[[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel a:active {color:[[ColorPalette::PrimaryMid]]; background:[[ColorPalette::Background]];}

.wizard {background:[[ColorPalette::PrimaryPale]]; border:1px solid [[ColorPalette::PrimaryMid]];}
.wizard h1 {color:[[ColorPalette::PrimaryDark]]; border:none;}
.wizard h2 {color:[[ColorPalette::Foreground]]; border:none;}
.wizardStep {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];
	border:1px solid [[ColorPalette::PrimaryMid]];}
.wizardStep.wizardStepDone {background::[[ColorPalette::TertiaryLight]];}
.wizardFooter {background:[[ColorPalette::PrimaryPale]];}
.wizardFooter .status {background:[[ColorPalette::PrimaryDark]]; color:[[ColorPalette::Background]];}
.wizard .button {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::SecondaryLight]]; border: 1px solid;
	border-color:[[ColorPalette::SecondaryPale]] [[ColorPalette::SecondaryDark]] [[ColorPalette::SecondaryDark]] [[ColorPalette::SecondaryPale]];}
.wizard .button:hover {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::Background]];}
.wizard .button:active {color:[[ColorPalette::Background]]; background:[[ColorPalette::Foreground]]; border: 1px solid;
	border-color:[[ColorPalette::PrimaryDark]] [[ColorPalette::PrimaryPale]] [[ColorPalette::PrimaryPale]] [[ColorPalette::PrimaryDark]];}

#messageArea {border:1px solid [[ColorPalette::SecondaryMid]]; background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]];}
#messageArea .button {color:[[ColorPalette::PrimaryMid]]; background:[[ColorPalette::SecondaryPale]]; border:none;}

.popupTiddler {background:[[ColorPalette::TertiaryPale]]; border:2px solid [[ColorPalette::TertiaryMid]];}

.popup {background:[[ColorPalette::TertiaryPale]]; color:[[ColorPalette::TertiaryDark]]; border-left:1px solid [[ColorPalette::TertiaryMid]]; border-top:1px solid [[ColorPalette::TertiaryMid]]; border-right:2px solid [[ColorPalette::TertiaryDark]]; border-bottom:2px solid [[ColorPalette::TertiaryDark]];}
.popup hr {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::PrimaryDark]]; border-bottom:1px;}
.popup li.disabled {color:[[ColorPalette::TertiaryMid]];}
.popup li a, .popup li a:visited {color:[[ColorPalette::Foreground]]; border: none;}
.popup li a:hover {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; border: none;}
.popup li a:active {background:[[ColorPalette::SecondaryPale]]; color:[[ColorPalette::Foreground]]; border: none;}
.popupHighlight {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
.listBreak div {border-bottom:1px solid [[ColorPalette::TertiaryDark]];}

.tiddler .defaultCommand {font-weight:bold;}

.shadow .title {color:[[ColorPalette::TertiaryDark]];}

.title {color:[[ColorPalette::SecondaryDark]];}
.subtitle {color:[[ColorPalette::TertiaryDark]];}

.toolbar {color:[[ColorPalette::SecondaryMid]];}
.toolbar a {color:[[ColorPalette::TertiaryLight]];}
.selected .toolbar a {color:[[ColorPalette::TertiaryMid]];}
.selected .toolbar a:hover {color:[[ColorPalette::Foreground]];}

.tagging, .tagged {border:1px solid [[ColorPalette::TertiaryPale]]; background-color:[[ColorPalette::TertiaryPale]];}
.selected .tagging, .selected .tagged {background-color:[[ColorPalette::TertiaryLight]]; border:1px solid [[ColorPalette::TertiaryMid]];}
.tagging .listTitle, .tagged .listTitle {color:[[ColorPalette::PrimaryDark]];}
.tagging .button, .tagged .button {border:none;}

.footer {color:[[ColorPalette::TertiaryLight]];}
.selected .footer {color:[[ColorPalette::TertiaryMid]];}

.sparkline {background:[[ColorPalette::PrimaryPale]]; border:0;}
.sparktick {background:[[ColorPalette::PrimaryDark]];}

.error, .errorButton {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::Error]];}
.warning {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::SecondaryPale]];}
.lowlight {background:[[ColorPalette::TertiaryLight]];}

.zoomer {background:none; color:[[ColorPalette::TertiaryMid]]; border:3px solid [[ColorPalette::TertiaryMid]];}

.imageLink, #displayArea .imageLink {background:transparent;}

.annotation {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; border:2px solid [[ColorPalette::SecondaryMid]];}

.viewer .listTitle {list-style-type:none; margin-left:-2em;}
.viewer .button {border:1px solid [[ColorPalette::SecondaryMid]];}
.viewer blockquote {border-left:3px solid [[ColorPalette::TertiaryDark]];}

.viewer table, table.twtable {border:2px solid [[ColorPalette::TertiaryDark]];}
.viewer th, .viewer thead td, .twtable th, .twtable thead td {background:[[ColorPalette::SecondaryMid]]; border:1px solid [[ColorPalette::TertiaryDark]]; color:[[ColorPalette::Background]];}
.viewer td, .viewer tr, .twtable td, .twtable tr {border:1px solid [[ColorPalette::TertiaryDark]];}

.viewer pre {border:1px solid [[ColorPalette::SecondaryLight]]; background:[[ColorPalette::SecondaryPale]];}
.viewer code {color:[[ColorPalette::SecondaryDark]];}
.viewer hr {border:0; border-top:dashed 1px [[ColorPalette::TertiaryDark]]; color:[[ColorPalette::TertiaryDark]];}

.highlight, .marked {background:[[ColorPalette::SecondaryLight]];}

.editor input {border:1px solid [[ColorPalette::PrimaryMid]];}
.editor textarea {border:1px solid [[ColorPalette::PrimaryMid]]; width:100%;}
.editorFooter {color:[[ColorPalette::TertiaryMid]];}

#backstageArea {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::TertiaryMid]];}
#backstageArea a {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::Background]]; border:none;}
#backstageArea a:hover {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; }
#backstageArea a.backstageSelTab {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
#backstageButton a {background:none; color:[[ColorPalette::Background]]; border:none;}
#backstageButton a:hover {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::Background]]; border:none;}
#backstagePanel {background:[[ColorPalette::Background]]; border-color: [[ColorPalette::Background]] [[ColorPalette::TertiaryDark]] [[ColorPalette::TertiaryDark]] [[ColorPalette::TertiaryDark]];}
.backstagePanelFooter .button {border:none; color:[[ColorPalette::Background]];}
.backstagePanelFooter .button:hover {color:[[ColorPalette::Foreground]];}
#backstageCloak {background:[[ColorPalette::Foreground]]; opacity:0.6; filter:'alpha(opacity:60)';}
/*}}}*/
/*{{{*/
* html .tiddler {height:1%;}

body {font-size:.75em; font-family:arial,helvetica; margin:0; padding:0;}

h1,h2,h3,h4,h5,h6 {font-weight:bold; text-decoration:none;}
h1,h2,h3 {padding-bottom:1px; margin-top:1.2em;margin-bottom:0.3em;}
h4,h5,h6 {margin-top:1em;}
h1 {font-size:1.35em;}
h2 {font-size:1.25em;}
h3 {font-size:1.1em;}
h4 {font-size:1em;}
h5 {font-size:.9em;}

hr {height:1px;}

a {text-decoration:none;}

dt {font-weight:bold;}

ol {list-style-type:decimal;}
ol ol {list-style-type:lower-alpha;}
ol ol ol {list-style-type:lower-roman;}
ol ol ol ol {list-style-type:decimal;}
ol ol ol ol ol {list-style-type:lower-alpha;}
ol ol ol ol ol ol {list-style-type:lower-roman;}
ol ol ol ol ol ol ol {list-style-type:decimal;}

.txtOptionInput {width:11em;}

#contentWrapper .chkOptionInput {border:0;}

.externalLink {text-decoration:underline;}

.indent {margin-left:3em;}
.outdent {margin-left:3em; text-indent:-3em;}
code.escaped {white-space:nowrap;}

.tiddlyLinkExisting {font-weight:bold;}
.tiddlyLinkNonExisting {font-style:italic;}

/* the 'a' is required for IE, otherwise it renders the whole tiddler in bold */
a.tiddlyLinkNonExisting.shadow {font-weight:bold;}

#mainMenu .tiddlyLinkExisting,
	#mainMenu .tiddlyLinkNonExisting,
	#sidebarTabs .tiddlyLinkNonExisting {font-weight:normal; font-style:normal;}
#sidebarTabs .tiddlyLinkExisting {font-weight:bold; font-style:normal;}

.header {position:relative;}
.header a:hover {background:transparent;}
.headerShadow {position:relative; padding:4.5em 0em 1em 1em; left:-1px; top:-1px;}
.headerForeground {position:absolute; padding:4.5em 0em 1em 1em; left:0px; top:0px;}

.siteTitle {font-size:3em;}
.siteSubtitle {font-size:1.2em;}

#mainMenu {position:absolute; left:0; width:10em; text-align:right; line-height:1.6em; padding:1.5em 0.5em 0.5em 0.5em; font-size:1.1em;}

#sidebar {position:absolute; right:3px; width:16em; font-size:.9em;}
#sidebarOptions {padding-top:0.3em;}
#sidebarOptions a {margin:0em 0.2em; padding:0.2em 0.3em; display:block;}
#sidebarOptions input {margin:0.4em 0.5em;}
#sidebarOptions .sliderPanel {margin-left:1em; padding:0.5em; font-size:.85em;}
#sidebarOptions .sliderPanel a {font-weight:bold; display:inline; padding:0;}
#sidebarOptions .sliderPanel input {margin:0 0 .3em 0;}
#sidebarTabs .tabContents {width:15em; overflow:hidden;}

.wizard {padding:0.1em 1em 0em 2em;}
.wizard h1 {font-size:2em; font-weight:bold; background:none; padding:0em 0em 0em 0em; margin:0.4em 0em 0.2em 0em;}
.wizard h2 {font-size:1.2em; font-weight:bold; background:none; padding:0em 0em 0em 0em; margin:0.4em 0em 0.2em 0em;}
.wizardStep {padding:1em 1em 1em 1em;}
.wizard .button {margin:0.5em 0em 0em 0em; font-size:1.2em;}
.wizardFooter {padding:0.8em 0.4em 0.8em 0em;}
.wizardFooter .status {padding:0em 0.4em 0em 0.4em; margin-left:1em;}
.wizard .button {padding:0.1em 0.2em 0.1em 0.2em;}

#messageArea {position:fixed; top:2em; right:0em; margin:0.5em; padding:0.5em; z-index:2000; _position:absolute;}
.messageToolbar {display:block; text-align:right; padding:0.2em 0.2em 0.2em 0.2em;}
#messageArea a {text-decoration:underline;}

.tiddlerPopupButton {padding:0.2em 0.2em 0.2em 0.2em;}
.popupTiddler {position: absolute; z-index:300; padding:1em 1em 1em 1em; margin:0;}

.popup {position:absolute; z-index:300; font-size:.9em; padding:0; list-style:none; margin:0;}
.popup .popupMessage {padding:0.4em;}
.popup hr {display:block; height:1px; width:auto; padding:0; margin:0.2em 0em;}
.popup li.disabled {padding:0.4em;}
.popup li a {display:block; padding:0.4em; font-weight:normal; cursor:pointer;}
.listBreak {font-size:1px; line-height:1px;}
.listBreak div {margin:2px 0;}

.tabset {padding:1em 0em 0em 0.5em;}
.tab {margin:0em 0em 0em 0.25em; padding:2px;}
.tabContents {padding:0.5em;}
.tabContents ul, .tabContents ol {margin:0; padding:0;}
.txtMainTab .tabContents li {list-style:none;}
.tabContents li.listLink { margin-left:.75em;}

#contentWrapper {display:block;}
#splashScreen {display:none;}

#displayArea {margin:1em 17em 0em 14em;}

.toolbar {text-align:right; font-size:.9em;}

.tiddler {padding:1em 1em 0em 1em;}

.missing .viewer,.missing .title {font-style:italic;}

.title {font-size:1.6em; font-weight:bold;}

.missing .subtitle {display:none;}
.subtitle {font-size:1.1em;}

.tiddler .button {padding:0.2em 0.4em;}

.tagging {margin:0.5em 0.5em 0.5em 0; float:left; display:none;}
.isTag .tagging {display:block;}
.tagged {margin:0.5em; float:right;}
.tagging, .tagged {font-size:0.9em; padding:0.25em;}
.tagging ul, .tagged ul {list-style:none; margin:0.25em; padding:0;}
.tagClear {clear:both;}

.footer {font-size:.9em;}
.footer li {display:inline;}

.annotation {padding:0.5em; margin:0.5em;}

* html .viewer pre {width:99%; padding:0 0 1em 0;}
.viewer {line-height:1.4em; padding-top:0.5em;}
.viewer .button {margin:0em 0.25em; padding:0em 0.25em;}
.viewer blockquote {line-height:1.5em; padding-left:0.8em;margin-left:2.5em;}
.viewer ul, .viewer ol {margin-left:0.5em; padding-left:1.5em;}

.viewer table, table.twtable {border-collapse:collapse; margin:0.8em 1.0em;}
.viewer th, .viewer td, .viewer tr,.viewer caption,.twtable th, .twtable td, .twtable tr,.twtable caption {padding:3px;}
table.listView {font-size:0.85em; margin:0.8em 1.0em;}
table.listView th, table.listView td, table.listView tr {padding:0px 3px 0px 3px;}

.viewer pre {padding:0.5em; margin-left:0.5em; font-size:1.2em; line-height:1.4em; overflow:auto;}
.viewer code {font-size:1.2em; line-height:1.4em;}

.editor {font-size:1.1em;}
.editor input, .editor textarea {display:block; width:100%; font:inherit;}
.editorFooter {padding:0.25em 0em; font-size:.9em;}
.editorFooter .button {padding-top:0px; padding-bottom:0px;}

.fieldsetFix {border:0; padding:0; margin:1px 0px 1px 0px;}

.sparkline {line-height:1em;}
.sparktick {outline:0;}

.zoomer {font-size:1.1em; position:absolute; overflow:hidden;}
.zoomer div {padding:1em;}

* html #backstage {width:99%;}
* html #backstageArea {width:99%;}
#backstageArea {display:none; position:relative; overflow: hidden; z-index:150; padding:0.3em 0.5em 0.3em 0.5em;}
#backstageToolbar {position:relative;}
#backstageArea a {font-weight:bold; margin-left:0.5em; padding:0.3em 0.5em 0.3em 0.5em;}
#backstageButton {display:none; position:absolute; z-index:175; top:0em; right:0em;}
#backstageButton a {padding:0.1em 0.4em 0.1em 0.4em; margin:0.1em 0.1em 0.1em 0.1em;}
#backstage {position:relative; width:100%; z-index:50;}
#backstagePanel {display:none; z-index:100; position:absolute; margin:0em 3em 0em 3em; padding:1em 1em 1em 1em;}
.backstagePanelFooter {padding-top:0.2em; float:right;}
.backstagePanelFooter a {padding:0.2em 0.4em 0.2em 0.4em;}
#backstageCloak {display:none; z-index:20; position:absolute; width:100%; height:100px;}

.whenBackstage {display:none;}
.backstageVisible .whenBackstage {display:block;}
/*}}}*/
/***
StyleSheet for use when a translation requires any css style changes.
This StyleSheet can be used directly by languages such as Chinese, Japanese and Korean which use a logographic writing system and need larger font sizes.
***/

/*{{{*/
body {font-size:0.8em;}

#sidebarOptions {font-size:1.05em;}
#sidebarOptions a {font-style:normal;}
#sidebarOptions .sliderPanel {font-size:0.95em;}

.subtitle {font-size:0.8em;}

.viewer table.listView {font-size:0.95em;}

.htmlarea .toolbarHA table {border:1px solid ButtonFace; margin:0em 0em;}
/*}}}*/
/*{{{*/
@media print {
#mainMenu, #sidebar, #messageArea, .toolbar, #backstageButton {display: none ! important;}
#displayArea {margin: 1em 1em 0em 1em;}
/* Fixes a feature in Firefox 1.5.0.2 where print preview displays the noscript content */
noscript {display:none;}
}
/*}}}*/
<!--{{{-->
<div class='header' macro='gradient vert [[ColorPalette::PrimaryLight]] [[ColorPalette::PrimaryMid]]'>
<div class='headerShadow'>
<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;
<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
</div>
<div class='headerForeground'>
<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;
<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
</div>
</div>
<div id='mainMenu' refresh='content' tiddler='MainMenu'></div>
<div id='sidebar'>
<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>
<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>
</div>
<div id='displayArea'>
<div id='messageArea'></div>
<div id='tiddlerDisplay'></div>
</div>
<!--}}}-->
<!--{{{-->
<div class='toolbar' macro='toolbar closeTiddler closeOthers +editTiddler > fields syncing permalink references jump'></div>
<div class='title' macro='view title'></div>
<div class='subtitle'><span macro='view modifier link'></span>, <span macro='view modified date'></span> (<span macro='message views.wikified.createdPrompt'></span> <span macro='view created date'></span>)</div>
<div class='tagging' macro='tagging'></div>
<div class='tagged' macro='tags'></div>
<div class='viewer' macro='view text wikified'></div>
<div class='tagClear'></div>
<!--}}}-->
<!--{{{-->
<div class='toolbar' macro='toolbar +saveTiddler -cancelTiddler deleteTiddler'></div>
<div class='title' macro='view title'></div>
<div class='editor' macro='edit title'></div>
<div macro='annotations'></div>
<div class='editor' macro='edit text'></div>
<div class='editor' macro='edit tags'></div><div class='editorFooter'><span macro='message views.editor.tagPrompt'></span><span macro='tagChooser'></span></div>
<!--}}}-->
To get started with this blank TiddlyWiki, you'll need to modify the following tiddlers:
* SiteTitle & SiteSubtitle: The title and subtitle of the site, as shown above (after saving, they will also appear in the browser title bar)
* MainMenu: The menu (usually on the left)
* DefaultTiddlers: Contains the names of the tiddlers that you want to appear when the TiddlyWiki is opened
You'll also need to enter your username for signing your edits: <<option txtUserName>>
These InterfaceOptions for customising TiddlyWiki are saved in your browser

Your username for signing your edits. Write it as a WikiWord (eg JoeBloggs)

<<option txtUserName>>
<<option chkSaveBackups>> SaveBackups
<<option chkAutoSave>> AutoSave
<<option chkRegExpSearch>> RegExpSearch
<<option chkCaseSensitiveSearch>> CaseSensitiveSearch
<<option chkAnimate>> EnableAnimations

----
Also see AdvancedOptions
Welcome!

[img[images/banner.png]]
<<option chkOpenInNewWindow>> OpenLinksInNewWindow
<<option chkSaveEmptyTemplate>> SaveEmptyTemplate
<<option chkToggleLinks>> Clicking on links to tiddlers that are already open causes them to close
^^(override with Control or other modifier key)^^
<<option chkHttpReadOnly>> HideEditingFeatures when viewed over HTTP
<<option chkForceMinorUpdate>> Treat edits as MinorChanges by preserving date and time
^^(override with Shift key when clicking 'done' or by pressing Ctrl-Shift-Enter^^
//Macro: allTagsExcept
//Author: Clint Checketts
//Version: 1.0 Sept 8, 2005

version.extensions.allTagsExcept = {major: 0, minor: 1, revision: 0, date: new Date(2005,8,15)};
config.macros.allTagsExcept = {tooltip: "Show tiddlers tagged with '%0'",noTags: "There are no tags to display"};

//usage: < < allTagsExcept systemConfig systemTiddlers > > This will show all tags but those listed (e.g. systemConfig and systemTiddlers

config.macros.allTagsExcept.handler = function(place,macroName,params)
{
	var tags = store.getTags();
	var theTagList = createTiddlyElement(place,"ul",null,null,null);
	if(tags.length == 0)
		createTiddlyElement(theTagList,"li",null,"listTitle",this.noTags);
	for (var t=0; t<tags.length; t++) {
            var includeTag = true;
            for (var p=0;p<params.length; p++) if (tags[t][0] == params[p]) includeTag = false;
            if (includeTag){
		var theListItem =createTiddlyElement(theTagList,"li",null,null,null);
		var theTag = createTiddlyButton(theListItem,tags[t][0] + " (" + tags[t][1] + ")",this.tooltip.format([tags[t][0]]),onClickTag);
		theTag.setAttribute("tag",tags[t][0]);
           }
	}
}
!__1.0 Honeynet Deployments__
!!1.1 Current technologies deployed.
We are running a GEN II Honeynet with a variety of ~OSs of interest. We continue to use live ~OSs instead of ~VMware or ~HoneyD. Our web page with a diagram of our current setup is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm. Since our last report, we have restructured our honeynet and converted to the Honeywall CD configuration; we also now conduct all monitoring of the honeynet on an analysis box that is separate from the Honeywall (bridge) machine. We continue to deploy a Darknet within our Honeynet and have added a SUN workstation during this period. Our focus continues to be the use of the Honeynet to help secure the campus network.
!!1.2 Lessons learned from the technology, what you like about it.
Honeynets can be incorporated into an organization’s network security plan to help secure the network. We work closely with Georgia Tech’s Office of Information Technology to help secure the campus network.

We have improved our log file naming convention. Previously we created a new folder for each day’s log file(s) and named the folder by the month and day (i.e. Mar15, Apr24, Aug12). This format required separate storage locations for different years, and was more difficult to navigate both within Ethereal and in developing scripts that run on a series of logs because the folders were sorted alphabetically by month instead of in date order. Our improved format is to create a folder for each day in the numerical form of (i.e. 20020315, 20030424, 20040812).

Our new setup with the honeywall CD, separate analysis box, and cleanly wired honeynet rack appears to be stable and makes it much simpler to adjust the configuration of the honeynet; adding a honeypot to the network or quickly disconnecting a honeypot from the network is now a simpler task as a result of the improvements made this summer.

The data consistency created by using the honeywall CD is very beneficial.
!!1.3 Lessons learned from the technology, what is lacking, what you would like to see improved.
We need better methods to analyze the large amount of data collected by the honeynet. We are working towards developing tools to both analyze and visualize the data collected.
!__2.0 Findings__
!!2.1 Number and type of systems compromised during six month period.
We have had two hoenypots compromised by worms since our last report. One machine was a Microsoft Windows 2000 system and the other was a Linux ~RedHat 7.3 system.
!!2.2 Highlight any unique findings, attacks, tools, or methods.
We found it interesting to observe the large spike in traffic to the honeynet from the Georgia Tech address range as students moved back in to start the Fall semester. Over the course of the summer, a typical day would include less than five (and often zero) ~IP’s attempting to establish connections to the honeynet from within Georgia Tech’s two and a half Class B address range. As students returned for the Fall semester, the number of ~IP’s attempting to establish connections increased dramatically, with a typical day including 10-20 separate ~IP’s attempting to establish connections.

Using a darknet to increase our IP address range provides additional traffic to include in our analysis (without the addition of physical honeypots) and helps us to observe scanning patterns.

We had 489 unique machines on the Georgia Tech campus that attempted to connect to the Honeynet between January 1st, 2004 and August 31st, 2004. (These machines are assumed to be compromised or in use by a malicious person.)
!!2.3 Any trends seen in the past six months;
The majority of traffic to our honeynet originating from within the campus network attempts to establish connections to Port 445. Between January 1, 2004 and August 31, 2004, 795 machines from within the campus attempted to establish a connection using port 445. (This number includes repeat attacks from a single IP address, but only counts one connection attempt per machine per day to port 445.)

We found an article that mentions the use of TCP ports 135 and 1026 to send popup spam to Windows systems. On at least one occasion we observed this type of traffic, but it did not result in a popup window on our honeypot.
!!2.4 Document data analysis tools and methods being used.
We currently use ethereal with various filters as our primary data analysis tool. We are developing perl scripts to parse through the logs and generate plots of the data. (PCAP data is parsed and the extracted results are stored in an XML file. Plots are then generated from the XML data.)
!!2.5 For data analysis what tools work well, and what still needs to be developed.
Ethereal is not a very efficient or effective way to analyze daily logs, especially as the size of the honeynet is increased, resulting in additional traffic. We have begun to develop perl scripts, but this method appears to be too slow as well. What we need to do is implement our perl scripts in C. We also are considering the use of an SQL database to be able to cope with the large amount of data and access it more quickly.

We could reap huge benefits from a data analysis CD in addition to the honeywall CD. The data analysis CD could be used to setup your analysis box and could be another way to standardize honeynets throughout the alliance.
!__3.0 Misc. Activities__
!!3.1 Presenting at conferences
The papers listed in 3.3 were presented at conferences.
!!3.2 Developing, testing or releasing code
We have developed several perl scripts for data analysis, but we believe implementing these (and other) scripts in C will prove more beneficial for data analysis. We also have a ~PhD student working on network security visualization techniques and are using the software he is developing to observe our honeynet data.
!!3.3 Publication of papers
The following papers were published and presented at the IEEE Information Assurance Workshop at West Point, New York:
"Application of a Methodology to Characterize Rootkits Retrieved from Honeynets" by John Levine, Julian Grizzard, and Henry Owen; and
"An Investigation of a Compromised Host on a Honeynet Being Used to Increase the Security of a Large Enterprise Network" by Timothy Jackson, John Levine, Julian Grizzard, and Henry Owen.

The following paper was published an presented at DEFCON 12:
“Network Attack Visualization” by Greg Conti.

The following paper was published and presented at the Recent Advances in Intrusion Detection (RAID) Symposium:
"~HoneyStat: Local Worm Detection Using Honeypots" by David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian Grizzard, John Levine, and Henry Owen.
!!3.4 Involvement in ~SotM challenges.
We have not participated.
!!3.5 Other
We have developed a honeynet continuity file for the Georgia Tech Honeynet. One of the challenges of a student run honeynet at an academic institute is that students (graduate and undergraduate) arrive and depart on a regular basis. For example, John Levine, who created the Georgia Tech Honeynet, graduated with a ~PhD in May 2004 and is now an instructor at West Point, and Julian Grizzard, who is currently in charge of the honeynet, expects to graduate with his ~PhD in 2005. We developed the continuity file to streamline the process of teaching new people how to run and monitor the honeynet, as well as serve as a source for lessons learned. The file includes configuration information, points of contact (internal and external), web sites of interest, logging information, and policy guidelines for monitoring our honeynet. We recommend a continuity file for any organization, but especially for academic institutes.
!__4.0 Organizational__
!4.1 Changes in your structure of your organization.
We have new undergraduate students getting involved in the honeynet, to include Neil Joshi, and Alfredo Ramos.
!__5.0 Lessons Learned__
!!5.1 What positive things can you share with the community, so they can replicate your success.
The Georgia Tech Honeynet is a great tool for helping to secure the campus network. Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is likely from a compromised computer, a malicious user, or the campus IDS. We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.

The honeywall CDROM has worked out well. When making significant changes to a honeynet, we recommend making the changes in a down period in case there are configuration issues. Making the transition to the honeywall CDROM during the summer semester proved very beneficial. We also recommend testing any configuration changes on a private network prior to connecting to the internet.
!!5.2 What mistakes can you share with the community, so they don't make the same mistakes.
Parsing through large data sets can be very time consuming. We need better tools that the community can use to make this analysis easier and more efficient.
!__6.0 Goals__
!!6.1 Plans/Goals for next six months.
We are currently working on writing a Know Your Enemy Paper based on a statistical analysis of our data. We also intend to add honeypots to our honeynet within the next few months, with a long term goal of developing a distributed honeynet across the Georgia Tech network. We also plan to develop more elaborate quality analysis tools (in a beta state right now) to share with the community.
Background: #fff
Foreground: #000
PrimaryPale: #8cf
PrimaryLight: #18f
PrimaryMid: #fff
PrimaryDark: #014
SecondaryPale: #ffc
SecondaryLight: #fe8
SecondaryMid: #db4
SecondaryDark: #841
TertiaryPale: #eee
TertiaryLight: #ccc
TertiaryMid: #999
TertiaryDark: #666
Error: #f88
/***
|Name|DatePlugin|
|Source|http://www.TiddlyTools.com/#DatePlugin|
|Version|2.3.0|
|Author|Eric Shulman - ELS Design Studios|
|License|http://www.TiddlyTools.com/#LegalStatements <<br>>and [[Creative Commons Attribution-ShareAlike 2.5 License|http://creativecommons.org/licenses/by-sa/2.5/]]|
|~CoreVersion|2.1|
|Type|plugin|
|Requires||
|Overrides||
|Description|formatted dates plus popup menu with 'journal' link, changes and (optional) reminders|

There are quite a few calendar generators, reminders, to-do lists, 'dated tiddlers' journals, blog-makers and GTD-like schedule managers that have been built around TW.  While they all have different purposes, and vary in format, interaction, and style, in one way or another each of these plugins displays and/or uses date-based information to make finding, accessing and managing relevant tiddlers easier.  This plugin provides a general approach to embedding dates and date-based links/menus within tiddler content.

This plugin display formatted dates, for the specified year, month, day using number values or mathematical expressions such as (Y+1) or (D+30).  Optionally, you can create a link from the formatted output to a 'dated tiddler' for quick blogging or create a popup menu that includes the dated tiddler link plus links to changes made on that date as well as links to any pending reminders for the coming 31 days (if the RemindersPlugin is installed).  This plugin also provides a public API for easily incorporating formatted date output (with or without the links/popups) into other plugins, such as calendar generators, etc.
!!!!!Usage
<<<
When installed, this plugin defines a macro: {{{<<date [mode] [date] [format] [linkformat]>>}}}.  All of the macro parameters are optional and, in it's simplest form, {{{<<date>>}}}, it is equivalent to the ~TiddlyWiki core macro, {{{<<today>>}}}.

However, where {{{<<today>>}}} simply inserts the current date/time in a predefined format (or custom format, using {{{<<today [format]>>}}}), the {{{<<date>>}}} macro's parameters take it much further than that:
* [mode] is either ''display'', ''link'' or ''popup''.  If omitted, it defaults to ''display''.  This param let's you select between simply displaying a formatted date, or creating a link to a specific 'date titled' tiddler or a popup menu containing a dated tiddler link, plus links to changes and reminders.
* [date] lets you enter ANY date (not just today) as ''year, month, and day values or simple mathematical expressions'' using pre-defined variables, Y, M, and D for the current year, month and day, repectively.  You can display the modification date of the current tiddler by using the keyword: ''tiddler'' in place of the year, month and day parameters.  Use ''tiddler://name-of-tiddler//'' to display the modification date of a specific tiddler.  You can also use keywords ''today'' or ''filedate'' to refer to these //dynamically changing// date/time values.  
* [format] and [linkformat] uses standard ~TiddlyWiki date formatting syntax.  The default is "YYYY.0MM.0DD"
>^^''DDD'' - day of week in full (eg, "Monday"), ''DD'' - day of month, ''0DD'' - adds leading zero^^
>^^''MMM'' - month in full (eg, "July"), ''MM'' - month number, ''0MM'' - adds leading zero^^
>^^''YYYY'' - full year, ''YY'' - two digit year, ''hh'' - hours, ''mm'' - minutes, ''ss'' - seconds^^
>^^//note: use of hh, mm or ss format codes is only supported with ''tiddler'', ''today'' or ''filedate'' values//^^
* [linkformat] - specify an alternative date format so that the title of a 'dated tiddler' link can have a format that differs from the date's displayed format

In addition to the macro syntax, DatePlugin also provides a public javascript API so that other plugins that work with dates (such as calendar generators, etc.) can quickly incorporate date formatted links or popups into their output:

''{{{showDate(place, date, mode, format, linkformat, autostyle, weekend)}}}'' 

Note that in addition to the parameters provided by the macro interface, the javascript API also supports two optional true/false parameters:
* [autostyle] - when true, the font/background styles of formatted dates are automatically adjusted to show the date's status:  'today' is boxed, 'changes' are bold, 'reminders' are underlined, while weekends and holidays (as well as changes and reminders) can each have a different background color to make them more visibly distinct from each other.
* [weekend] - true indicates a weekend, false indicates a weekday.  When this parameter is omitted, the plugin uses internal defaults to automatically determine when a given date falls on a weekend.
<<<
!!!!!Examples
<<<
The current date: <<date>>
The current time: <<date today "0hh:0mm:0ss">>
Today's blog: <<date link today "DDD, MMM DDth, YYYY">>
Recent blogs/changes/reminders: <<date popup Y M D-1 "yesterday">> <<date popup today "today">> <<date popup Y M D+1 "tomorrow">>
The first day of next month will be a <<date Y M+1 1 "DDD">>
This tiddler (DatePlugin) was last updated on: <<date tiddler "DDD, MMM DDth, YYYY">>
The SiteUrl was last updated on: <<date tiddler:SiteUrl "DDD, MMM DDth, YYYY">>
This document was last saved on <<date filedate "DDD, MMM DDth, YYYY at 0hh:0mm:0ss">>
<<date 2006 07 24 "MMM DDth, YYYY">> will be a <<date 2006 07 24 "DDD">>
<<<
!!!!!Installation
<<<
import (or copy/paste) the following tiddlers into your document:
''DatePlugin'' (tagged with <<tag systemConfig>>)
<<<
!!!!!Revision History
<<<
''2007.05.31 [2.3.0]'' list "created" tiddlers in date popup.  Also, force re-cache of created/modified indices when displaying current date and store.isDirty(), so that popup is kept in sync with tiddler changes.
''2006.05.09 [2.2.1]'' added "todaybg" handling to set background color of current date.  Also, honor excludeLists tag when getting lists of tiddlers.  Based on suggestions by Mark Hulme.
''2006.05.05 [2.2.0]'' added "linkedbg" handling to set background color when a 'dated tiddler' exists.  Based on a suggestion by Mark Hulme.
''2006.03.08 [2.1.2]'' add 'override leadtime' flag param in call to findTiddlersWithReminders(), and add "Enter a title" default text to new reminder handler.  Thanks to Jeremy Sheeley for these additional tweaks.
''2006.03.06 [2.1.0]'' hasReminders() nows uses window.reminderCacheForCalendar[] when present.  If calendar cache is not present, indexReminders() now uses findTiddlersWithReminders() with a 90-day look ahead to check for reminders.  Also, switched default background colors for autostyled dates: reminders are now greenish ("c0ffee") and holidays are now reddish ("ffaace").
''2006.02.14 [2.0.5]'' when readOnly is set (by TW core), omit "new reminders..." popup menu item and, if a "dated tiddler" does not already exist, display the date as simple text instead of a link.
''2006.02.05 [2.0.4]'' added var to variables that were unintentionally global.  Avoids FireFox 1.5.0.1 crash bug when referencing global variables
''2006.01.18 [2.0.3]'' In 1.2.x the tiddler editor's text area control was given an element ID=("tiddlerBody"+title), so that it was easy to locate this field and programmatically modify its content.  With the addition of configuration templates in 2.x, the textarea no longer has an ID assigned.  To find this control we now look through all the child nodes of the tiddler editor to locate a "textarea" control where attribute("edit") equals "text", and then append the new reminder to the contents of that control.
''2006.01.11 [2.0.2]'' correct 'weekend' override detection logic in showDate()
''2006.01.10 [2.0.1]'' allow custom-defined weekend days (default defined in config.macros.date.weekend[] array)
added flag param to showDate() API to override internal weekend[] array
''2005.12.27 [2.0.0]'' Update for TW2.0
Added parameter handling for 'linkformat'
''2005.12.21 [1.2.2]'' FF's date.getYear() function returns 105 (for the current year, 2005).  When calculating a date value from Y M and D expressions, the plugin adds 1900 to the returned year value get the current year number.  But IE's date.getYear() already returns 2005.  As a result, plugin calculated date values on IE were incorrect (e.g., 3905 instead of 2005).  Adding +1900 is now conditional so the values will be correct on both browsers.
''2005.11.07 [1.2.1]'' added support for "tiddler" dynamic date parameter
''2005.11.06 [1.2.0]'' added support for "tiddler:title" dynamic date parameter
''2005.11.03 [1.1.2]'' when a reminder doesn't have a specified title parameter, use the title of the tiddler that contains the reminder as "fallback" text in the popup menu.  Based on a suggestion from BenjaminKudria.
''2005.11.03 [1.1.1]'' Temporarily bypass hasReminders() logic to avoid excessive overhead from generating the indexReminders() cache.  While reminders can still appear in the popup menu, they just won't be indicated by auto-styling the date number that is displayed.  This single change saves approx. 60% overhead (5 second delay reduced to under 2 seconds).
''2005.11.01 [1.1.0]'' corrected logic in hasModifieds() and hasReminders() so caching of indexed modifieds and reminders is done just once, as intended.  This should hopefully speed up calendar generators and other plugins that render multiple dates...
''2005.10.31 [1.0.1]'' documentation and code cleanup
''2005.10.31 [1.0.0]'' initial public release
''2005.10.30 [0.9.0]'' pre-release
<<<
!!!!!Credits
<<<
This feature was developed by EricShulman from [[ELS Design Studios|http:/www.elsdesign.com]].
<<<
!!!!!Code
***/
//{{{
version.extensions.date = {major: 2, minor: 3, revision: 0, date: new Date(2007,5,31)};
//}}}

//{{{
config.macros.date = {
	format: "YYYY.0MM.0DD", // default date display format
	linkformat: "YYYY.0MM.0DD", // 'dated tiddler' link format
	linkedbg: "#babb1e", // "babble"
	todaybg: "#ffab1e", // "fable"
	weekendbg: "#c0c0c0", // "cocoa"
	holidaybg: "#ffaace", // "face"
	createdbg: "#bbeeff", // "beef"
	modifiedsbg: "#bbeeff", // "beef"
	remindersbg: "#c0ffee", // "coffee"
	holidays: [ "01/01", "07/04", "07/24", "11/24" ], // NewYearsDay, IndependenceDay(US), Eric's Birthday (hooray!), Thanksgiving(US)
	weekend: [ 1,0,0,0,0,0,1 ] // [ day index values: sun=0, mon=1, tue=2, wed=3, thu=4, fri=5, sat=6 ]
};
//}}}

//{{{
config.macros.date.handler = function(place,macroName,params)
{
	// do we want to see a link, a popup, or just a formatted date?
	var mode="display";
	if (params[0]=="display") { mode=params[0]; params.shift(); }
	if (params[0]=="popup") { mode=params[0]; params.shift(); }
	if (params[0]=="link") { mode=params[0]; params.shift(); }
	// get the date
	var now = new Date();
	var date = now;
	if (!params[0] || params[0]=="today")
		{ params.shift(); }
	else if (params[0]=="filedate")
		{ date=new Date(document.lastModified); params.shift(); }
	else if (params[0]=="tiddler")
		{ date=store.getTiddler(story.findContainingTiddler(place).id.substr(7)).modified; params.shift(); }
	else if (params[0].substr(0,8)=="tiddler:")
		{ var t; if ((t=store.getTiddler(params[0].substr(8)))) date=t.modified; params.shift(); }
	else {
		var y = eval(params.shift().replace(/Y/ig,(now.getYear()<1900)?now.getYear()+1900:now.getYear()));
		var m = eval(params.shift().replace(/M/ig,now.getMonth()+1));
		var d = eval(params.shift().replace(/D/ig,now.getDate()+0));
		date = new Date(y,m-1,d);
	}
	// date format with optional custom override
	var format=this.format; if (params[0]) format=params.shift();
	var linkformat=this.linkformat; if (params[0]) linkformat=params.shift();
	showDate(place,date,mode,format,linkformat);
}
//}}}

//{{{
window.showDate=showDate;
function showDate(place,date,mode,format,linkformat,autostyle,weekend)
{
	if (!mode) mode="display";
	if (!format) format=config.macros.date.format;
	if (!linkformat) linkformat=config.macros.date.linkformat;
	if (!autostyle) autostyle=false;

	// format the date output
	var title = date.formatString(format);
	var linkto = date.formatString(linkformat);

	// just show the formatted output
	if (mode=="display") { place.appendChild(document.createTextNode(title)); return; }

	// link to a 'dated tiddler'
	var link = createTiddlyLink(place, linkto, false);
	link.appendChild(document.createTextNode(title));
	link.title = linkto;
	link.date = date;
	link.format = format;
	link.linkformat = linkformat;

	// if using a popup menu, replace click handler for dated tiddler link
	// with handler for popup and make link text non-italic (i.e., an 'existing link' look)
	if (mode=="popup") {
		link.onclick = onClickDatePopup;
		link.style.fontStyle="normal";
	}

	// format the popup link to show what kind of info it contains (for use with calendar generators)
	if (!autostyle) return;
	if (hasModifieds(date)||hasCreateds(date))
		{ link.style.fontStyle="normal"; link.style.fontWeight="bold"; }
	if (hasReminders(date))
		{ link.style.textDecoration="underline"; }
	if(isToday(date))
		{ link.style.border="1px solid black"; }

	if( (weekend!=undefined?weekend:isWeekend(date)) && (config.macros.date.weekendbg!="") )
		{ place.style.background = config.macros.date.weekendbg; }
	if(isHoliday(date)&&(config.macros.date.holidaybg!=""))
		{ place.style.background = config.macros.date.holidaybg; }
	if (hasCreateds(date)&&(config.macros.date.createdbg!=""))
		{ place.style.background = config.macros.date.createdbg; }
	if (hasModifieds(date)&&(config.macros.date.modifiedsbg!=""))
		{ place.style.background = config.macros.date.modifiedsbg; }
	if (store.tiddlerExists(linkto)&&(config.macros.date.linkedbg!=""))
		{ place.style.background = config.macros.date.linkedbg; }
	if (hasReminders(date)&&(config.macros.date.remindersbg!=""))
		{ place.style.background = config.macros.date.remindersbg; }
	if(isToday(date)&&(config.macros.date.todaybg!=""))
		{ place.style.background = config.macros.date.todaybg; }
}
//}}}

//{{{
function isToday(date) // returns true if date is today
	{ var now=new Date(); return ((now-date>=0) && (now-date<86400000)); }

function isWeekend(date) // returns true if date is a weekend
	{ return (config.macros.date.weekend[date.getDay()]); }

function isHoliday(date) // returns true if date is a holiday
{
	var longHoliday = date.formatString("0MM/0DD/YYYY");
	var shortHoliday = date.formatString("0MM/0DD");
	for(var i = 0; i < config.macros.date.holidays.length; i++) {
		var holiday=config.macros.date.holidays[i];
		if (holiday==longHoliday||holiday==shortHoliday) return true;
	}
	return false;
}
//}}}

//{{{
// Event handler for clicking on a day popup
function onClickDatePopup(e)
{
	if (!e) var e = window.event;
	var theTarget = resolveTarget(e);
	var popup = createTiddlerPopup(this);
	if(popup) {
		// always show dated tiddler link (or just date, if readOnly) at the top...
		if (!readOnly || store.tiddlerExists(this.date.formatString(this.linkformat)))
			createTiddlyLink(popup,this.date.formatString(this.linkformat),true);
		else
			createTiddlyText(popup,this.date.formatString(this.linkformat));
		addCreatedsToPopup(popup,this.date,this.format);
		addModifiedsToPopup(popup,this.date,this.format);
		addRemindersToPopup(popup,this.date,this.linkformat);
	}
	scrollToTiddlerPopup(popup,false);
	e.cancelBubble = true;
	if (e.stopPropagation) e.stopPropagation();
	return(false);
}
//}}}

//{{{
function indexCreateds() // build list of tiddlers, hash indexed by creation date
{
	var createds= { };
	var tiddlers = store.getTiddlers("title","excludeLists");
	for (var t = 0; t < tiddlers.length; t++) {
		var date = tiddlers[t].created.formatString("YYYY0MM0DD")
		if (!createds[date])
			createds[date]=new Array();
		createds[date].push(tiddlers[t].title);
	}
	return createds;
}
function hasCreateds(date) // returns true if date has created tiddlers
{
	if (!config.macros.date.createds) config.macros.date.createds=indexCreateds();
	return (config.macros.date.createds[date.formatString("YYYY0MM0DD")]!=undefined);
}

function addCreatedsToPopup(popup,when,format)
{
	var force=(store.isDirty() && when.formatString("YYYY0MM0DD")==new Date().formatString("YYYY0MM0DD"));
	if (force || !config.macros.date.createds) config.macros.date.createds=indexCreateds();
	var indent=String.fromCharCode(160)+String.fromCharCode(160);
	var createds = config.macros.date.createds[when.formatString("YYYY0MM0DD")];
	if (createds) {
		createds.sort();
		var e=createTiddlyElement(popup,"div",null,null,"created:");
		for(var t=0; t<createds.length; t++) {
			var link=createTiddlyLink(popup,createds[t],false);
			link.appendChild(document.createTextNode(indent+createds[t]));
			createTiddlyElement(popup,"br",null,null,null);
		}
	}
}
//}}}

//{{{
function indexModifieds() // build list of tiddlers, hash indexed by modification date
{
	var modifieds= { };
	var tiddlers = store.getTiddlers("title","excludeLists");
	for (var t = 0; t < tiddlers.length; t++) {
		var date = tiddlers[t].modified.formatString("YYYY0MM0DD")
		if (!modifieds[date])
			modifieds[date]=new Array();
		modifieds[date].push(tiddlers[t].title);
	}
	return modifieds;
}
function hasModifieds(date) // returns true if date has modified tiddlers
{
	if (!config.macros.date.modifieds) config.macros.date.modifieds = indexModifieds();
	return (config.macros.date.modifieds[date.formatString("YYYY0MM0DD")]!=undefined);
}

function addModifiedsToPopup(popup,when,format)
{
	var force=(store.isDirty() && when.formatString("YYYY0MM0DD")==new Date().formatString("YYYY0MM0DD"));
	if (force || !config.macros.date.modifieds) config.macros.date.modifieds=indexModifieds();
	var indent=String.fromCharCode(160)+String.fromCharCode(160);
	var mods = config.macros.date.modifieds[when.formatString("YYYY0MM0DD")];
	if (mods) {
		mods.sort();
		var e=createTiddlyElement(popup,"div",null,null,"changed:");
		for(var t=0; t<mods.length; t++) {
			var link=createTiddlyLink(popup,mods[t],false);
			link.appendChild(document.createTextNode(indent+mods[t]));
			createTiddlyElement(popup,"br",null,null,null);
		}
	}
}
//}}}

//{{{
function indexReminders(date,leadtime) // build list of tiddlers with reminders, hash indexed by reminder date
{
	var reminders = { };
	if(window.findTiddlersWithReminders!=undefined) { // reminder plugin is installed
		// DEBUG var starttime=new Date();
		var t = findTiddlersWithReminders(date, [0,leadtime], null, null, 1);
		for(var i=0; i<t.length; i++) reminders[t[i].matchedDate]=true;
		// DEBUG var out="Found "+t.length+" reminders in "+((new Date())-starttime+1)+"ms\n";
		// DEBUG out+="startdate: "+date.toLocaleDateString()+"\n"+"leadtime: "+leadtime+" days\n\n";
		// DEBUG for(var i=0; i<t.length; i++) { out+=t[i].matchedDate.toLocaleDateString()+" "+t[i].params.title+"\n"; }
		// DEBUG alert(out);
	}
	return reminders;
}

function hasReminders(date) // returns true if date has reminders
{
	if (window.reminderCacheForCalendar)
		return window.reminderCacheForCalendar[date]; // use calendar cache
	if (!config.macros.date.reminders)
		config.macros.date.reminders = indexReminders(date,90); // create a 90-day leadtime reminder cache
	return (config.macros.date.reminders[date]);
}

function addRemindersToPopup(popup,when,format)
{
	if(window.findTiddlersWithReminders==undefined) return; // reminder plugin not installed

	var indent = String.fromCharCode(160)+String.fromCharCode(160);
	var reminders=findTiddlersWithReminders(when, [0,31],null,null,1);
	var e=createTiddlyElement(popup,"div",null,null,"reminders:"+(!reminders.length?" none":""));
	for(var t=0; t<reminders.length; t++) {
		link = createTiddlyLink(popup,reminders[t].tiddler,false);
		var diff=reminders[t].diff;
		diff=(diff<1)?"Today":((diff==1)?"Tomorrow":diff+" days");
		var txt=(reminders[t].params["title"])?reminders[t].params["title"]:reminders[t].tiddler;
		link.appendChild(document.createTextNode(indent+diff+" - "+txt));
		createTiddlyElement(popup,"br",null,null,null);
	}
	if (readOnly) return;	// omit "new reminder..." link
	var link = createTiddlyLink(popup,indent+"new reminder...",true); createTiddlyElement(popup,"br");
	var title = when.formatString(format);
	link.title="add a reminder to '"+title+"'";
	link.onclick = function() {
		// show tiddler editor
		story.displayTiddler(null, title, 2, null, null, false, false);
		// find body 'textarea'
		var c =document.getElementById("tiddler" + title).getElementsByTagName("*");
		for (var i=0; i<c.length; i++) if ((c[i].tagName.toLowerCase()=="textarea") && (c[i].getAttribute("edit")=="text")) break;
		// append reminder macro to tiddler content
		if (i<c.length) {
			if (store.tiddlerExists(title)) c[i].value+="\n"; else c[i].value="";
			c[i].value += "<<reminder";
			c[i].value += " day:"+when.getDate();
			c[i].value += " month:"+(when.getMonth()+1);
			c[i].value += " year:"+when.getFullYear();
			c[i].value += ' title:"Enter a title" >>';
		}
	};
}
//}}}
[[About]]
[[News]]
!__Publications__
* H. Altunbasak, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Securing layer 2 in local area networks," accepted IEEE ICN 2005.
* H. Altunbasak, S. Krasser, H. Owen, J. Sokol, J. Grimminger, and H.-P. Huth, "Addressing the weak link between layer 2 and layer 3 in the Internet architecture," in Proc. IEEE International Conference on Local Computer Networks, Tampa, Florida, USA, pp. 417-418, November 2004.
In order to release captures of network attack traffic to the public, much of the sensitive information contained within the capture files must be removed. The goals of our anonymization algorithms are to protect the sensitive information while allowing researchers and the public at large to examine and analyze the network attacks. Our solution uses one-to-one mappings of IP addresses (even within payloads) and overwriting of hostnames.

!Anonymization Methods
------------------------------------
!!__IP Address Mapping__
We map the top two octets and the bottom two octets separately. For the top two octets, we generate one map and for the bottom two octets we create a map for each of our subdomains with the Georgia Tech IP space and one for other non-Georgia Tech addresses. Some /16 networks should not be mapped since they are private, unroutable, or have some special attribute. We identified several networks that we do not map the top two octets as listed below. For the remaining networks, we randomly mix the mapping.
*0.0.0.0/8
*10.0.0.0/8
*127.0.0.0/8
*169.254.0.0/16
*172.16.0.0/16
*192.168.0.0/16
*224.0.0.0/4
*240.0.0.0/4
The lower mappings consist of mapping the lower two octets of the IP addresses. In the lower mappings, if the last octet is equal to 0 or 255, it is mapped to another address ending in 0 or 255. All other lower two octets are randomly mapped. 

!!__IP Header Anonymization__
For each IP packet, the packet is first disassembled. Then, the source and destination IP addresses are remapped, and then reassemble the packet. We use a perl module, ~NetPacket::IP for the purpose of parsing and reassembling the packet. This perl module is kind enough to recalculate the IP header checksum so that an attacker can not calculate the original IP addresses.

!!__ICMP, TCP, and UDP Header Anonymization__
The next layer of the communications stack gives a new set of details that could be used to calculate the original IP addresses. Both the TCP and UDP header checksum are calculated from a psuedo-header which contains the source and destination IP addresses (from the IP header). ICMP is tricker. ICMP oftentimes embeds the headers of rejected packets within its payload that require further sanitization. We do a simple test for embedded ~IPv4 packets by looking for 0x45 as the first byte of the payload. If the test detects an embedded packet, the algorithm recurses on the payload. ~NetPacket::TCP and ~NetPacket::UDP were used to parse and reassemble the TCP and UDP packets respectively.

!!__Upper Layer Packet Anonymization__
Payload anonymization is too difficult to describe without risking censorship. Various protocols find interesting ways of hiding revealing information in the payload in ways completely unparsable by anything (including the original software). We have leaned on the side of protecting privacy at the risk of destroying information in the payload. To this end, we overwrite data that matches a very general regular expression with 'X' characters, and hope that it was not something needed for analysis.

!!!DNS Protocol Sanitization
Among the various problematic packets that require anonymization, are DNS packets. The format of DNS packets varies upon the codes within the packet and requires a full decode to correctly manipulate. For example, if the packet is a response packet and has a code equal to 0, then the last 4 bytes are an IP address that must be mapped. If the code was equal to 3, a dynamic update, then there yet another domain name that must be removed.

!!!Samba Protocol Sanitization
Another frustrating protocol is the Windows Networking protocol, known as samba. The Tree Connect ~AndX Request message includes a path portion that contains a unicode encoded string with slashes and a host network name, IP address, or ~NetBios name. Since the format of this path is difficult to anticipate, we simply replaced any printable character between the beginning two slashes, and the next slash. (E.g. \\POTENTIAL.NOWHERE.COM\IPC$) There are other messages such as the Trans2 Request that sometimes has the hostname as the file specification, but without the proper slash notation. This much be removed by a general regular expression. The netbios name is impossible to recognize without a full decode of the SMB protocol. We have not been able to accomplish this yet.

!!!IRC Traffic Sanitization
Currently we only perform regular expression search and replace on IRC traffic. No attempts were made to actually decode the protocol. The regular expression contains all letters, digits, at-symbols, and periods ending with a valid domain such as com, edu, jp, nl, ro, and biz. This has an unfortunate effect of obfuscating entities that are not proper domain names because of the generality of the regular expression.

!Future Work Needed
---------------------------------
We have only begun the rigorous work of packet sanitation and much work is needed. First, we need to learn from the community what information is vital to retain in order for proper analysis and balance their needs with the complexity of maintaining privacy. Secondly, decoders are needed for many protocols, but focusing first on protocols used during attacks such as SMB, FTP, IRC, HTTP, and DNS. Next, a flexible but fast-running packet manipulation framework needs to be made that can rapidly manipulate packets.

!Conclusion
--------------------
The Georgia Tech Honeynet team has created a pcap-file anonymization tool in PERL that allows for quick remapping of IP addresses and does some packet decoding and a lot of string searches and replacements in order to anonymize the traffic captures. We believe this to be a good first-order approach to the problem of packet anonymization, but a more flexible approach is needed for future work. 
On November 1, 2003 a Microsoft Windows 2000 Pro machine on the Georgia Tech Honey Net was compromised by an attacker.  The attack originated from eastnet on Georgia Tech's Eastnet .  However, analysis of the data seems to indicate that this host was only a relay for the attack and not the attacker's actual machine.

The attack first appeared as a standard Nachi attack, but after an initial attempt to compromise the machine revealed to the attacker that the machine had already been infected, he or she switched tactics and used an ~MSBlaster style exploit to open port 4444 with root privileges, thus indicating by the sophistication and the timing that this was a life attacker not an automated program.  He or she then began setting up a root-kit on the machine.

The root-kit is made up of two self-extracting .exe files.  This attacker names them c.exe and x.exe.  The former extracts to a directory named "svchost" with a subdirectory "service" while the later extracts to "service" and "spools."  The "svchost" directory contains ~WinMngr.EXE, ident.bat, one.exe, svc.bat, win.dll, cygwin1.dll, lsass.exe, regsvc.exe services.exe, and svchost.exe.  These form the core of the root-kit.  The subdirectory "svchost\service" is used for storage of warez, but  because the attacker does not want disk usage to be noticed, he or she only places a few files on each compromised machine.  The "service" directory created by x.exe contains mostly duplicate files from the "svchost" directory (possibly to avoid path issues), but it does have one important file in thug.bat. 

Our attacker extracts these files and directories to "C:\WINNT\system32\Setup."  The attacker then moves into the "svchost" directory and executes svc.bat.  This file is the primary installer of the root-kit.  The svc.bat file sets the user name of the IRC bot in win.dll (which is actually just a plain text file) and starts both the "Remote Registry Backup" service and the "Microsoft Networks" service, but binds both to the attacker's "svchost\lsass.exe" file.  This results in 3 processes called lsass.exe, though only one is legitimate.  The "Remote Registry Backup" service is also bound to "svchost\ident.bat" which executes ~WinMngr.EXE, while "Microsoft Networks" is also tied to "svchost\regsvc.exe."  The effect of starting all of these files as services is to make them impossible to kill via the Windows(r) Task Manager.  It is necessary to stop the services these files are attached to in order to bring them down.  The next step taken by svc.bat is to hide the directories created by the zip file.  Using the "attrib" command, the bat file runs: "attrib +S +H spools" (aka C:\WINNT\system32\Setup\spools) and "attrib +S +H svchost."  These commands set both the system bit and the hidden bit on the directories causing Windows to hide them unless the bits are unset or someone checks "show hidden files and directories" and unchecks "hide protected operating system files" in the tools->file options->view menu of any Windows Explorer window.  

[img[images/image002.gif]]
__Figure 1:  Windows Explorer view of system compromise__

The fact that svc.bat which came from c.exe hides a directory "spools" that came from x.exe suggests that both files were created by the same person and intended to work together as a single root-kit.

The other half of this root-kit, x.exe, provides similar tools to the attacker, but with some things added.  "Spools" for instance contains a number of utilities useful for hacking, such as wget, netcat, fport, and fscan.  None of these are called directly by the services that are set up.  This suggests the attacker wants the ability to hack other machines from this one.  While it is possible the attacker just wanted to have certain tools around for setting things up, the deletion of the zip files (presumably just so save space) combined with the small amount of warez stored on the machine seems to negate this as our attacker seems to be interested in saving space so as to not show up on a cursory disk usage analysis.  Given this evidence, and the sophistication of this attack, as well as the number of compromised boxes found (some 25 machines on Georgia Tech's campus alone, including the attacking host) it seems likely that the attacking host was being used a relay and the owner is not our attacker.

The third directory created by our attacker contains more interesting tools, including one (kill.exe) that is very useful in purging the system of this root-kit.  The first file ofimportance is thug.bat.  This is where the "Virtual Guide Numbering" service is created and bound to "service\lsass.exe" (which gives us a total of 4 processes named lsass running) and "services\winampa.exe" (which the name of the popular media player Winamp's background executable).  This gives us two more processes running that are attached to services and can't be killed from the Task Manager.   The batch file then hides the "C:\WINNT\system32\service" directory in the same manner as the other two and removes x.exe.

At some point in running these various programs, one of them creates a number of registry keys.  This is the root-kit's signature and can be found on any machine infected by an unaltered version.  The keys are placed in ~HKEY_USERS-->S-1-5-21-79052478-1383384898-1202660629-1107(this number may be unique to each install) -->Software-->Microsoft-->Internet Explorer-->Explorer Bars-->{~C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}(again possibly unique to each install)-->~FilesNamedMRU.  Each one registers the name of a file the attacker installed but not its full path.  Currently, it seems logical to conclude that the programs themselves both set and read these keys, thus executing all of the files listed if any one of them is started.

[img[images/image004.gif]]
__Figure 2: registry entry of compromised system__

This root-kit does not appear to cause any actual damage to the attacked system (in fact it patches the system against future attacks on port 135), but instead sets the machine up as a warez server via IRC.  The bot installed connects to irc.efnet.com and joins the channel #~XiSO, where it broadcasts repeatedly the files it has available for download from the svchost\service directory.
Fortunately, removing this root-kit is not especially difficult after it is understood.  To remove it, simply do the following:

# Using the Administrative Tools, stop the services that are infected and set them to manual start.  (Be careful if you decide to disable them as doing so can cause headaches if the wrong services are disabled when the system is restarted).
#Edit the C:\WINNT\system32\Setup\svchost\x.pid file to find the process id (PID) of the IRC daemon.
#Using the kill.exe found in either "service" or "spools," kill the pid using C:\kill.exe <pid>.  This stops the IRC daemon from running.  Your logs will no longer be flooded with IRC data.  You may also safely kill all ~WinMngr.EXE, winampa.exe and cmd.exe processes.  You may kill the lsass and svchost processes, but the legitimate versions of these need to be running and may or may not restart properly if killed.
#Delete, or move the directories the attacker created:
##C:\WINNT\system32\Setup\spools
##C:\WINNT\system32\Setup\service
##C:\WINNT\system32\Setup\svchost
#Using regedit, remove all the keys placed by the attacker.
#Upon first booting the machine, ensure that you have only one copy of lsass.exe running, the registry keys are gone, and that none of the illegal services started.  This is your indication that the machine is clean.

In conclusion, this root-kit displays a fair amount of skill and is not the work of a "script-kiddie."  Analysis of the techniques used, as well as the tools involved, suggest an experienced, though not necessarily a highly-skilled, person conducted the attack.  The root-kit itself suggests that the machine attacking our Honey Net was a relay machine.  The hacking tools present in the kit suggest the intended use for this kit is not just to run an IRC bot, but also to allow remote control of and subsequent hacking using a compromised box.  The techniques used by the attacker make it difficult, though not impossible, to find his or her files.  Once located and understood, the root-kit is easily removed.  However, the complexity of the kit itself and its potential to reinsert parts of itself make it difficult to deal with until it is understood.  Had the attacker removed kill.exe, not used x.pid, and used executables instead of batch files the root-kit would have been very difficult to remove indeed.  In short, this was a basic attack, based on someone else's work, that used good tools that could be improved to be very difficult to remove.
!Attack of September 13-14, 2004
On September 13th and 14th, 2004, two Microsoft Windows 2000 machines on the Georgia Tech ~HoneyNet were compromised by an attacker. The attack originated from a computer on the Georgia Tech network.

On 13 September, the attacker's machine installed a worm using DCERPC ~LSA_DS and Websphere MQ on the first honeypot . Immediately following the closure of this connection, the honeypot started making DNS calls for tx.sytes.net which successfully resolved to an IP address. The honeypot then regularly attempted to establish a connection to this IP address. Most of the time, there was no response; occasionally there was a reset. About 4 hours later, a connection was established and the honeypot began operating as an IRC bot. We disconnected this honeypot from the network and have since replaced it.

On 14 September, Georgia Tech experienced a series of power surges. Following the final power surge, a second honeypot came on-line; the first attempted connection resulted in a compromise. The attacker used an LSASS vulnerability to infect the honeypot. As soon as the connection was closed, the honeypot began attempting to make connections to the same IP address from the 13 September compromise. Within an hour, the honeypot established a connection to this machine and immediately began operating as an IRC bot (sending syn packets to port 445 on a /16 subnet within the Georgia Tech campus). This machine was also disconnected and has been replaced.
!__1.0 Honeynet Deployments__
We are running a GEN II Honeynet with a variety of ~OSs of interest. We continue to use live ~OSs instead of ~VMware or ~HoneyD. Our web page with a diagram of our current setup is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm. We have recently deployed a Darknet within our Honeynet.

Our focus continues to be the use of the Honeynet to help secure the campus network.
!__2.0 Findings__
We had one Microsoft 2000 system compromised during the quarter. (The compromise report is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/Quarterly/quarterly.htm.) We also found 43 unique machines on the Georgia Tech campus that were compromised (and attempted to connect to the Honeynet).

We currently use snort and ethereal to monitor our data; multiple members of our team analyze the data using various filters.
!__3.0 Misc. Activites__
John Levine presented "Honeynets at Educational Institutions" at the Baltimore Department of Defense Conference.
!__4.0 Organizational__
LTC John Levine, ~PhD has completed his ~PhD and is moving to West Point, NY to teach at the United States Military Academy. He is replaced as the project lead by Julian Grizzard.
!__5.0 Lessons Learned__
We have found the Honeynet to be a great tool for helping to secure the campus network. Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is from a compromised computer, a malicious user, or the campus IDS. We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.
!__6.0 Goals__
We plan to develop a toolkit to streamline the data analysis process during the summer semester. We also have a member working on the development of a visualization monitor.
!__Publications__
*S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, "~Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 42-49.
!__Publications__
!!Journal Publications
*J. Levine, J. Grizzard, and H.Owen, "Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection," in IEEE Security & Privacy, January/February 2006, pp. 24-32, vol. 4, no. 1. (featured article)
*D. Barlow, V. Vassiliou, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Traffic engineering based on local states in Internet protocol-based radio access networks," accepted IEEE Journal of Communications and Networks.
*J. Levine, J. Grizzard, and H. Owen, "Using honeynets to protect large enterprise networks," in IEEE Security & Privacy, November/December 2004, pp. 73-75, vol. 2, no. 6.
*S. Krasser, J. Grizzard, H. Owen, and J. Levine, "The use of honeynets to increase computer network security and user awareness," in Journal of Security Education, pp. 23-37, vol. 1, no. 2/3.
!!Conference Publications
* J. Grizzard and H. Owen, "On a µ-kernel Based System Architecture Enabling Recovery from Rootkits", accepted First IEEE International Workshop on Critical Infrastructure Protection, 2005.
* J. Grizzard, C. Simpson, Jr., S. Krasser, H. Owen, and G. Riley, "Flow Based Observations from NETI@home and Honeynet Data," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 244-251.
* S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 42-49. 
* J. Grizzard, J. Levine, and H. Owen, "Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table," in Proc. 9th European Symposium on Research in Computer Security, September 2004, pp. 369-384.
* D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen, "Honeystat: local worm detection using honeypots," in 7th International Symposium on Recent Advances in Intrusion Detection, Sophia Antipolis, France, September 2004.
* J. Grizzard, S. Krasser, H. Owen, G. Conti, and E. Dodson, "Towards an approach for automatically repairing compromised network systems," in Proc. 3rd IEEE International Symposium on Network Computing and Applications, Cambridge, Massachusetts, USA, pp. 389-392, August 2004.
* J. Grizzard, E. Dodson, G. Conti, J. Levine, and H. Owen, "Towards a trusted immutable kernel extension (TIKE) for selfhealing systems: a virtual machine approach," in Proc. 5th IEEE Information Assurance Workshop, June 2004, pp. 444-446.
* J. Levine, J. Grizzard, and H. Owen, "A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table," in Proc. of Second IEEE International Information Assurance Workshop, April 2004, pp. 107-125.
* T. Jackson, J. Levine, J. Grizzard, and H. Owen, "An investigation of a compromised host on a honeynet begin used to increase the security of a large enterprise network," in Proc. 5th IEEE Information Assurance Workshop, March 2004, pp. 9-14.
* J. Levine, J. Grizzard, and H. Owen, "Application of a methodology to characterize rootkits retrieved from honeynets," in Proc. 5th IEEE Information Assurance Workshop, March 2004, pp. 15-21.
!__Research__
!Honeypot Forensics
Existing forensic toolkits were developed to work on production systems. As honeypots do not have the same restrictions as these systems, there must exist a framework that exploits the special characteristics of honeypots.  The purpose of this research is to take advantage of the unique honeypot environment for the creation of a richer set of forensic data and development of this framework.

!__Publications__
*Sean Sanders, Kevin Fairbanks, Sahitya Jampana, Henry Owen III, "Visual Network Traffic Classification Using ~Multi-Dimensional Piecewise Polynomial Models, " Accepted, IEEE ~SoutheastCon 2010, ~Charlotte-Concord, NC.
*Kevin D. Fairbanks, Ying H. Xia, Henry L. Owen III, "<html><a href="papers/Fairbanks_COMPSAC_CFSE_2009.pdf">A Method for Historical Ext3 Inode to Filename Translation on Honeypots</a></html>," Computer Software and Applications Conference, Annual International, vol. 2, pp. 392-397, 2009 33rd Annual IEEE International Computer Software and Applications Conference, 2009.
*Kevin Fairbanks, Kishore Atreya, Henry Owen.  "<html><a href="papers/Fairbanks_IEEE_SouthEastCon_2009.pdf">BlackBerry IPD Parsing for Open Source Forensics.</a></html>" IEEE ~SouthEastCon 2009.  Atlanta, GA.  IEEE Southeastcon, 2009.  Atlanta, GA.  March 2009, pp. 195 - 199.
*Ying Xia, Kevin Fairbanks, Henry Owen. "<html><a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">Visual Analysis of Program Flow Data with  Data Propagation.</a></html>" Proceedings of the 5th international workshop on Visualization for Computer Security.   Cambridge, MA.  September 2008, pp. 26-35.
*Ying Xia, Kevin Fairbanks, Henry Owen. "<html><a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">A Program Behavior
Matching Architecture for Probabilistic File System Forensics.,</a></html>" <i> ACM SIGOPS Operating Systems Review special issue on Computer Forensics.</i></html> Vol. 42, Iss. 3.  April 2008, pp 4-13.
* Kevin D. Fairbanks, Christopher P. Lee, Ying H. Xia, Henry L. Owen III. “<html><a href ="papers/Fairbanks_IAW07.pdf">TimeKeeper: A Metadata Archiving Method for Honeypot Forensics.</a></html>” 8th Annual IEEE SMC Information Assurance Workshop. West Point, NY. 20-22 June 2007
* Xia, Y., Fairbanks, K., Owen, H. "<html><a href = "papers/blackbox.pdf">Establishing trust in black-box programs.</a>" SoutheastCon, </html>2007. IEEE, Vol., Iss., March 2007, pp. 462-465. 
Note: all folders in l4linux-2.4/
*documentation/~DocBook/kernel-hacking.tmpl:
**asmlinkage int sys_mycall(int arg)
*arch/l4/kernel/ioport.c:
**asmlinkage int sys_ioperm(unsigned long from, unsigned long num, int turn_on)
**asmlinkage int sys_iopl(unsigned long unused)
*arch/l4/kernel/process.c:
**asmlinkage int sys_fork(void)
**asmlinkage int sys_clone(unsigned long clone_flags, unsigned long newsp)
**asmlinkage int sys_vfork(void)
**asmlinkage int sys_execve(char *name, char **argv, char **envp)
*arch/l4/kernel/ptrace.c:
**asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
*arch/l4/kernel/signal.c:
**asmlinkage int sys_sigreturn(void)
**asmlinkage int sys_rt_sigreturn(void)
**asmlinkage int sys_rt_sigsuspend(sigset_t *unewset, size_t sigsetsize)
**asmlinkage int sys_sigsuspend(int history0, int history1, old_sigset_t mask)
**asmlinkage int sys_sigaction(int sig, const struct old_sigaction *act, struct old_sigaction *oact)
**asmlinkage int sys_sigaltstack(const stack_t *uss, stack_t *uoss)
*arch/l4/kernel/unimpl.c:
**asmlinkage int sys_vm86(void)
**asmlinkage int sys_vm86old(void)
**asmlinkage int sys_modify_ldt(void)
*arch/l4/kernel/sys_i386.c:
**asmlinkage int sys_pipe(unsigned long * fildes)
**asmlinkage long sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long fd, unsigned long pgoff)
**asmlinkage int old_mmap(struct mmap_arg_struct *arg)
**extern asmlinkage int sys_select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
**asmlinkage int old_select(struct sel_arg_struct *arg)
**asmlinkage int sys_ipc (uint call, int first, int second, int third, void *ptr, long fifth)
**asmlinkage int sys_uname(struct old_utsname * name)
**asmlinkage int sys_olduname(struct oldold_utsname * name)
**asmlinkage int sys_pause(void)
*drivers/char/vt.c:
**asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int on);
*fs/buffer.c:
**asmlinkage long sys_sync(void)
**asmlinkage long sys_fsync(unsigned int fd)
**asmlinkage long sys_fdatasync(unsigned int fd)
**asmlinkage long sys_bdflush(int func, long data)
*fs/dcache.c:
**asmlinkage long sys_getcwd(char *buf, unsigned long size)
*fs/exec.c:
**asmlinkage long sys_uselib(const char * library)
*fs/fcntl.c:
**asmlinkage long sys_dup2(unsigned int oldfd, unsigned int newfd)
**asmlinkage long sys_dup(unsigned int fildes)
**asmlinkage long sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
**asmlinkage long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
*fs/filesystems.c:
**asmlinkage sys_nfsservctl(int cmd, void *argp, void *resp)
*fs/ioctl.c:
**asmlinkage long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
*fs/locks.c:
**asmlinkage long sys_flock(unsigned int fd, unsigned int cmd)
*fs/namei.c:
**asmlinkage long sys_mknod(const char * filename, int mode, dev_t dev)
**asmlinkage long sys_mkdir(const char * pathname, int mode)
**asmlinkage long sys_rmdir(const char * pathname)
**asmlinkage long sys_unlink(const char * pathname)
**asmlinkage long sys_symlink(const char * oldname, const char * newname)
**asmlinkage long sys_link(const char * oldname, const char * newname)
**asmlinkage long sys_rename(const char * oldname, const char * newname)
*fs/namespace.c:
**asmlinkage long sys_umount(char * name, int flags)
**asmlinkage long sys_oldumount(char * name)
**asmlinkage long sys_mount(char * dev_name, char * dir_name, char * type, unsigned long flags, void * data)
**asmlinkage long sys_pivot_root(const char *new_root, const char *put_old)
*fs/open.c:
**asmlinkage long sys_statfs(const char * path, struct statfs * buf)
**asmlinkage long sys_fstatfs(unsigned int fd, struct statfs * buf)
**asmlinkage long sys_truncate(const char * path, unsigned long length)
**asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
**asmlinkage long sys_truncate64(const char * path, loff_t length)
**asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
**asmlinkage long sys_utime(char * filename, struct utimbuf * times)
**asmlinkage long sys_access(const char * filename, int mode)
**asmlinkage long sys_chdir(const char * filename)
**asmlinkage long sys_fchdir(unsigned int fd)
**asmlinkage long sys_chroot(const char * filename)
**asmlinkage long sys_fchmod(unsigned int fd, mode_t mode)
**asmlinkage long sys_chmod(const char * filename, mode_t mode)
**asmlinkage long sys_chown(const char * filename, uid_t user, gid_t group)
**asmlinkage long sys_lchown(const char * filename, uid_t user, gid_t group)
**asmlinkage long sys_fchown(unsigned int fd, uid_t user, gid_t group)
**asmlinkage long sys_open(const char * filename, int flags, int mode)
**asmlinkage long sys_creat(const char * pathname, int mode)
**asmlinkage long sys_close(unsigned int fd)
**asmlinkage long sys_vhangup(void)
*fs/quota.c:
**asmlinkage long sys_quotactl(unsigned int cmd, const char *special, qid_t id, caddr_t addr)
*fs/read_write.c:
**asmlinkage off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
**asmlinkage long sys_llseek(unsigned int fd, unsigned long offset_high,
**asmlinkage ssize_t sys_read(unsigned int fd, char * buf, size_t count)
**asmlinkage ssize_t sys_write(unsigned int fd, const char * buf, size_t count)
**asmlinkage ssize_t sys_readv(unsigned long fd, const struct iovec * vector, unsigned long count)
**asmlinkage ssize_t sys_writev(unsigned long fd, const struct iovec * vector, unsigned long count)
**asmlinkage ssize_t sys_pread(unsigned int fd, char * buf, size_t count, loff_t pos)
**asmlinkage ssize_t sys_pwrite(unsigned int fd, const char * buf, size_t count, loff_t pos)
*fs/readdir.c:
**asmlinkage int old_readdir(unsigned int fd, void * dirent, unsigned int count)
**asmlinkage long sys_getdents(unsigned int fd, void * dirent, unsigned int count)
**asmlinkage long sys_getdents64(unsigned int fd, void * dirent, unsigned int count)
*fs/select.c:
**asmlinkage long sys_poll(struct pollfd * ufds, unsigned int nfds, long timeout)
*fs/stat.c:
**asmlinkage long sys_stat(char * filename, struct _old_kernel_stat * statbuf)
**asmlinkage long sys_newstat(char * filename, struct stat * statbuf)
**asmlinkage long sys_lstat(char * filename, struct _old_kernel_stat * statbuf)
**asmlinkage long sys_newlstat(char * filename, struct stat * statbuf)
**asmlinkage long sys_fstat(unsigned int fd, struct _old_kernel_stat * statbuf)
**asmlinkage long sys_newfstat(unsigned int fd, struct stat * statbuf)
**asmlinkage long sys_readlink(const char * path, char * buf, int bufsiz)
**asmlinkage long sys_stat64(char * filename, struct stat64 * statbuf, long flags)
**asmlinkage long sys_lstat64(char * filename, struct stat64 * statbuf, long flags)
**asmlinkage long sys_fstat64(unsigned long fd, struct stat64 * statbuf, long flags)
*fs/super.c:
**asmlinkage long sys_sysfs(int option, unsigned long arg1, unsigned long arg2)
**asmlinkage long sys_ustat(dev_t dev, struct ustat * ubuf)
*init/do_mounts.c:
**extern asmlinkage long sys_mount(char *dev_name, char *dir_name, char *type, unsigned long flags, void *data);
**extern asmlinkage long sys_mkdir(const char *name, int mode);
**extern asmlinkage long sys_chdir(const char *name);
**extern asmlinkage long sys_fchdir(int fd);
**extern asmlinkage long sys_chroot(const char *name);
**extern asmlinkage long sys_unlink(const char *name);
**extern asmlinkage long sys_symlink(const char *old, const char *new);
**extern asmlinkage long sys_mknod(const char *name, int mode, dev_t dev);
**extern asmlinkage long sys_umount(char *name, int flags);
**extern asmlinkage long sys_ioctl(int fd, int cmd, unsigned long arg);
*kernel/acct.c:
**asmlinkage long sys_acct(const char * filename)
*kernel/capability.c:
**asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
**asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
*kernel/exit.c:
**asmlinkage long sys_exit(int error_code)
**asmlinkage long sys_wait4(pid_t pid,unsigned int * stat_addr, int options, struct rusage * ru)
**asmlinkage long sys_waitpid(pid_t pid,unsigned int * stat_addr, int options)
*kernel/info.c:
**asmlinkage long sys_sysinfo(struct sysinfo *info)
*kernel/itimer.c:
**asmlinkage long sys_getitimer(int which, struct itimerval *value)
**asmlinkage long sys_setitimer(int which, struct itimerval *value, struct itimerval *ovalue)
*kernel/panic.c:
**asmlinkage void sys_sync(void); /* it's really int */
*kernel/printk.c:
**asmlinkage long sys_syslog(int type, char * buf, int len)
*kernel/sched.c:
**asmlinkage long sys_nice(int increment)
**asmlinkage long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param *param)
**asmlinkage long sys_sched_setparam(pid_t pid, struct sched_param *param)
**asmlinkage long sys_sched_getscheduler(pid_t pid)
**asmlinkage long sys_sched_getparam(pid_t pid, struct sched_param *param)
**asmlinkage long sys_sched_yield(void)
**asmlinkage long sys_sched_get_priority_max(int policy)
**asmlinkage long sys_sched_get_priority_min(int policy)
**asmlinkage long sys_sched_rr_get_interval(pid_t pid, struct timespec *interval)
*kernel/sys.c:
**asmlinkage long sys_ni_syscall(void)
**asmlinkage long sys_setpriority(int which, int who, int niceval)
**asmlinkage long sys_getpriority(int which, int who)
**asmlinkage long sys_reboot(int magic1, int magic2, unsigned int cmd, void * arg)
**asmlinkage long sys_setregid(gid_t rgid, gid_t egid)
**asmlinkage long sys_setgid(gid_t gid)
**asmlinkage long sys_setreuid(uid_t ruid, uid_t euid)
**asmlinkage long sys_setuid(uid_t uid)
**asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
**asmlinkage long sys_getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
**asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
**asmlinkage long sys_getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
**asmlinkage long sys_setfsuid(uid_t uid)
**asmlinkage long sys_setfsgid(gid_t gid)
**asmlinkage long sys_setpgid(pid_t pid, pid_t pgid)
**asmlinkage long sys_getpgid(pid_t pid)
**asmlinkage long sys_getpgrp(void)
**asmlinkage long sys_getsid(pid_t pid)
**asmlinkage long sys_setsid(void)
**asmlinkage long sys_getgroups(int gidsetsize, gid_t *grouplist)
**asmlinkage long sys_setgroups(int gidsetsize, gid_t *grouplist)
**asmlinkage long sys_newuname(struct new_utsname * name)
**asmlinkage long sys_sethostname(char *name, int len)
**asmlinkage long sys_gethostname(char *name, int len)
**asmlinkage long sys_setdomainname(char *name, int len)
**asmlinkage long sys_getrlimit(unsigned int resource, struct rlimit *rlim)
**asmlinkage long sys_old_getrlimit(unsigned int resource, struct rlimit *rlim)
**asmlinkage long sys_setrlimit(unsigned int resource, struct rlimit *rlim)
**asmlinkage long sys_getrusage(int who, struct rusage *ru)
**asmlinkage long sys_umask(int mask)
**asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)
*kernel/sysctl.c:
**extern asmlinkage long sys_sysctl(struct _sysctl_args *args)
*kernel/time.c:
**asmlinkage long sys_time(int * tloc)
**asmlinkage long sys_stime(int * tptr)
**asmlinkage long sys_gettimeofday(struct timeval *tv, struct timezone *tz)
**asmlinkage long sys_settimeofday(struct timeval *tv, struct timezone *tz)
**asmlinkage long sys_adjtimex(struct timex *txc_p)
*kernel/timer.c:
**asmlinkage unsigned long sys_alarm(unsigned int seconds)
**asmlinkage long sys_getpid(void)
**asmlinkage long sys_getppid(void)
**asmlinkage long sys_getuid(void)
**asmlinkage long sys_geteuid(void)
**asmlinkage long sys_getgid(void)
**asmlinkage long sys_getegid(void)
**asmlinkage long sys_gettid(void)
**asmlinkage long sys_nanosleep(struct timespec *rqtp, struct timespec *rmtp)
*kernel/uid16.c:
**extern asmlinkage long sys_chown(const char *, uid_t,gid_t);
**extern asmlinkage long sys_lchown(const char *, uid_t,gid_t);
**extern asmlinkage long sys_fchown(unsigned int, uid_t,gid_t);
**extern asmlinkage long sys_setregid(gid_t, gid_t);
**extern asmlinkage long sys_setgid(gid_t);
**extern asmlinkage long sys_setreuid(uid_t, uid_t);
**extern asmlinkage long sys_setuid(uid_t);
**extern asmlinkage long sys_setresuid(uid_t, uid_t, uid_t);
**extern asmlinkage long sys_setresgid(gid_t, gid_t, gid_t);
**extern asmlinkage long sys_setfsuid(uid_t);
**extern asmlinkage long sys_setfsgid(gid_t);
**asmlinkage long sys_chown16(const char * filename, old_uid_t user, old_gid_t group)
**asmlinkage long sys_lchown16(const char * filename, old_uid_t user, old_gid_t group)
**asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
**asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid)
**asmlinkage long sys_setgid16(old_gid_t gid)
**asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
**asmlinkage long sys_setuid16(old_uid_t uid)
**asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
**asmlinkage long sys_getresuid16(old_uid_t *ruid, old_uid_t *euid, old_uid_t *suid)
**asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid)
**asmlinkage long sys_getresgid16(old_gid_t *rgid, old_gid_t *egid, old_gid_t *sgid)
**asmlinkage long sys_setfsuid16(old_uid_t uid)
**asmlinkage long sys_setfsgid16(old_gid_t gid)
**asmlinkage long sys_getgroups16(int gidsetsize, old_gid_t *grouplist)
**asmlinkage long sys_setgroups16(int gidsetsize, old_gid_t *grouplist)
**asmlinkage long sys_getuid16(void)
**asmlinkage long sys_geteuid16(void)
**asmlinkage long sys_getgid16(void)
**asmlinkage long sys_getegid16(void)
*mm/filemap.c:
**asmlinkage ssize_t sys_sendfile(int out_fd, int in_fd, off_t *offset, size_t count)
**asmlinkage ssize_t sys_sendfile64(int out_fd, int in_fd, loff_t *offset, size_t count)
**asmlinkage ssize_t sys_readahead(int fd, loff_t offset, size_t count)
**asmlinkage long sys_msync(unsigned long start, size_t len, int flags)
**asmlinkage long sys_madvise(unsigned long start, size_t len, int behavior)
**asmlinkage long sys_mincore(unsigned long start, size_t len, unsigned char * vec)
*mm/mlock.c:
**asmlinkage long sys_mlock(unsigned long start, size_t len)
**asmlinkage long sys_munlock(unsigned long start, size_t len)
**asmlinkage long sys_mlockall(int flags)
**asmlinkage long sys_munlockall(void)
*mm/mmap.c:
**asmlinkage unsigned long sys_brk(unsigned long brk)
**asmlinkage long sys_munmap(unsigned long addr, size_t len)
*mm/mprotect.c:
**asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
*mm/mremap.c:
**asmlinkage unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr)
*mm/swapfile.c:
**asmlinkage long sys_swapoff(const char * specialfile)
**asmlinkage long sys_swapon(const char * specialfile, int swap_flags)
*net/socket.c:
**asmlinkage long sys_socketcall(int call, unsigned long *args)
*kernel/signal.c:
**asmlinkage long sys_ssetmask(int newmask)
**asmlinkage long sys_sgetmask(void)
**asmlinkage unsigned long sys_signal(int sig, _sighandler_t handler)
**asmlinkage long sys_kill(int pid, int sig)
**asmlinkage long sys_tkill(int pid, int sig)
**asmlinkage long sys_sigpending(old_sigset_t *set)
**asmlinkage long sys_sigprocmask(int how, old_sigset_t *set, old_sigset_t *oset)
**asmlinkage long sys_rt_sigprocmask(int how, sigset_t *set, sigset_t *oset, size_t sigsetsize)
**asmlinkage long sys_rt_sigpending(sigset_t *set, size_t sigsetsize)
**asmlinkage long sys_rt_sigtimedwait(const sigset_t *uthese, siginfo_t *uinfo, const struct timespec *uts, size_t sigsetsize)
**asmlinkage long sys_rt_sigqueueinfo(int pid, int sig, siginfo_t *uinfo)
**asmlinkage long sys_rt_sigaction(int sig, const struct sigaction *act, struct sigaction *oact, size_t sigsetsize)
*kernel/module.c:
**asmlinkage long sys_get_kernel_syms(struct kernel_sym *table)
**asmlinkage long sys_init_module(const char *name_user, struct module *mod_user)
**asmlinkage unsigned long sys_create_module(const char *name_user, size_t size)
**asmlinkage long sys_delete_module(const char *name_user)
**asmlinkage long sys_query_module(const char *name_user, int which, char *buf, size_t bufsize, size_t *ret)
*kernel/exec_domain.c:
**asmlinkage long sys_personality(u_long personality)
*fs/xattr.c:
**asmlinkage long sys_setxattr(char *path, char *name, void *value, size_t size, int flags)
**asmlinkage long sys_lsetxattr(char *path, char *name, void *value, size_t size, int flags)
**asmlinkage long sys_fsetxattr(int fd, char *name, void *value, size_t size, int flags)
**asmlinkage ssize_t sys_getxattr(char *path, char *name, void *value, size_t size)
**asmlinkage ssize_t sys_lgetxattr(char *path, char *name, void *value, size_t size)
**asmlinkage ssize_t sys_fgetxattr(int fd, char *name, void *value, size_t size)
**asmlinkage ssize_t sys_listxattr(char *path, char *list, size_t size)
**asmlinkage ssize_t sys_llistxattr(char *path, char *list, size_t size)
**asmlinkage ssize_t sys_flistxattr(int fd, char *list, size_t size)
**asmlinkage long sys_removexattr(char *path, char *name)
**asmlinkage long sys_lremovexattr(char *path, char *name)
**asmlinkage long sys_fremovexattr(int fd, char *name)
<html>
<head>
</head>
<body style="color: rgb(0, 0, 0);" alink="#ee0000"
 link="#0000ee" vlink="#551a8b">
The
table below shows a listing of all the system calls in the Linux 2.4.26
kernel (gentoo modified). The system call table entries are defined in
arch/i386/kernel.
<table align="center" border="1" cellpadding="2"
 cellspacing="2" width="100%">
  <tbody>
    <tr>
      <th>Number</th>
      <th>Name</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>0</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>1</td>
      <td>sys_exit</td>
      <td></td>
    </tr>
    <tr>
      <td>2</td>
      <td>sys_fork</td>
      <td></td>
    </tr>
    <tr>
      <td>3</td>
      <td>sys_read</td>
      <td></td>
    </tr>
    <tr>
      <td>4</td>
      <td>sys_write</td>
      <td></td>
    </tr>
    <tr>
      <td>5</td>
      <td>sys_open</td>
      <td></td>
    </tr>
    <tr>
      <td>6</td>
      <td>sys_close</td>
      <td></td>
    </tr>
    <tr>
      <td>7</td>
      <td>sys_waitpid</td>
      <td></td>
    </tr>
    <tr>
      <td>8</td>
      <td>sys_creat</td>
      <td></td>
    </tr>
    <tr>
      <td>9</td>
      <td>sys_link</td>
      <td></td>
    </tr>
    <tr>
      <td>10</td>
      <td>sys_unlink</td>
      <td></td>
    </tr>
    <tr>
      <td>11</td>
      <td>sys_execve</td>
      <td></td>
    </tr>
    <tr>
      <td>12</td>
      <td>sys_chdir</td>
      <td></td>
    </tr>
    <tr>
      <td>13</td>
      <td>sys_time</td>
      <td></td>
    </tr>
    <tr>
      <td>14</td>
      <td>sys_mknod</td>
      <td></td>
    </tr>
    <tr>
      <td>15</td>
      <td>sys_chmod</td>
      <td></td>
    </tr>
    <tr>
      <td>16</td>
      <td>sys_lchown16</td>
      <td></td>
    </tr>
    <tr>
      <td>17</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>18</td>
      <td>sys_stat</td>
      <td></td>
    </tr>
    <tr>
      <td>19</td>
      <td>sys_lseek</td>
      <td></td>
    </tr>
    <tr>
      <td>20</td>
      <td>sys_getpid</td>
      <td></td>
    </tr>
    <tr>
      <td>21</td>
      <td>sys_mount</td>
      <td></td>
    </tr>
    <tr>
      <td>22</td>
      <td>sys_oldumount</td>
      <td></td>
    </tr>
    <tr>
      <td>23</td>
      <td>sys_setuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>24</td>
      <td>sys_getuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>25</td>
      <td>sys_stime</td>
      <td></td>
    </tr>
    <tr>
      <td>26</td>
      <td>sys_ptrace</td>
      <td></td>
    </tr>
    <tr>
      <td>27</td>
      <td>sys_alarm</td>
      <td></td>
    </tr>
    <tr>
      <td>28</td>
      <td>sys_fstat</td>
      <td></td>
    </tr>
    <tr>
      <td>29</td>
      <td>sys_pause</td>
      <td></td>
    </tr>
    <tr>
      <td>30</td>
      <td>sys_utime</td>
      <td></td>
    </tr>
    <tr>
      <td>31</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>32</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>33</td>
      <td>sys_access</td>
      <td></td>
    </tr>
    <tr>
      <td>34</td>
      <td>sys_nice</td>
      <td></td>
    </tr>
    <tr>
      <td>35</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>36</td>
      <td>sys_sync</td>
      <td></td>
    </tr>
    <tr>
      <td>37</td>
      <td>sys_kill</td>
      <td></td>
    </tr>
    <tr>
      <td>38</td>
      <td>sys_rename</td>
      <td></td>
    </tr>
    <tr>
      <td>39</td>
      <td>sys_mkdir</td>
      <td></td>
    </tr>
    <tr>
      <td>40</td>
      <td>sys_rmdir</td>
      <td></td>
    </tr>
    <tr>
      <td>41</td>
      <td>sys_dup</td>
      <td></td>
    </tr>
    <tr>
      <td>42</td>
      <td>sys_pipe</td>
      <td></td>
    </tr>
    <tr>
      <td>43</td>
      <td>sys_times</td>
      <td></td>
    </tr>
    <tr>
      <td>44</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>45</td>
      <td>sys_brk</td>
      <td></td>
    </tr>
    <tr>
      <td>46</td>
      <td>sys_setgid16</td>
      <td></td>
    </tr>
    <tr>
      <td>47</td>
      <td>sys_getgid16</td>
      <td></td>
    </tr>
    <tr>
      <td>48</td>
      <td>sys_signal</td>
      <td></td>
    </tr>
    <tr>
      <td>49</td>
      <td>sys_geteuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>50</td>
      <td>sys_getegid16</td>
      <td></td>
    </tr>
    <tr>
      <td>51</td>
      <td>sys_acct</td>
      <td></td>
    </tr>
    <tr>
      <td>52</td>
      <td>sys_umount</td>
      <td></td>
    </tr>
    <tr>
      <td>53</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>54</td>
      <td>sys_ioctl</td>
      <td></td>
    </tr>
    <tr>
      <td>55</td>
      <td>sys_fcntl</td>
      <td></td>
    </tr>
    <tr>
      <td>56</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>57</td>
      <td>sys_setpgid</td>
      <td></td>
    </tr>
    <tr>
      <td>58</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>59</td>
      <td>sys_olduname</td>
      <td></td>
    </tr>
    <tr>
      <td>60</td>
      <td>sys_umask</td>
      <td></td>
    </tr>
    <tr>
      <td>61</td>
      <td>sys_chroot</td>
      <td></td>
    </tr>
    <tr>
      <td>62</td>
      <td>sys_ustat</td>
      <td></td>
    </tr>
    <tr>
      <td>63</td>
      <td>sys_dup2</td>
      <td></td>
    </tr>
    <tr>
      <td>64</td>
      <td>sys_getppid</td>
      <td></td>
    </tr>
    <tr>
      <td>65</td>
      <td>sys_getpgrp</td>
      <td></td>
    </tr>
    <tr>
      <td>66</td>
      <td>sys_setsid</td>
      <td></td>
    </tr>
    <tr>
      <td>67</td>
      <td>sys_sigaction</td>
      <td></td>
    </tr>
    <tr>
      <td>68</td>
      <td>sys_sgetmask</td>
      <td></td>
    </tr>
    <tr>
      <td>69</td>
      <td>sys_ssetmask</td>
      <td></td>
    </tr>
    <tr>
      <td>70</td>
      <td>sys_setreuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>71</td>
      <td>sys_setregid16</td>
      <td></td>
    </tr>
    <tr>
      <td>72</td>
      <td>sys_sigsuspend</td>
      <td></td>
    </tr>
    <tr>
      <td>73</td>
      <td>sys_sigpending</td>
      <td></td>
    </tr>
    <tr>
      <td>74</td>
      <td>sys_sethostname</td>
      <td></td>
    </tr>
    <tr>
      <td>75</td>
      <td>sys_setrlimit</td>
      <td></td>
    </tr>
    <tr>
      <td>76</td>
      <td>sys_old_getrlimit</td>
      <td></td>
    </tr>
    <tr>
      <td>77</td>
      <td>sys_getrusage</td>
      <td></td>
    </tr>
    <tr>
      <td>78</td>
      <td>sys_gettimeofday</td>
      <td></td>
    </tr>
    <tr>
      <td>79</td>
      <td>sys_settimeofday</td>
      <td></td>
    </tr>
    <tr>
      <td>80</td>
      <td>sys_getgroups16</td>
      <td></td>
    </tr>
    <tr>
      <td>81</td>
      <td>sys_setgroups16</td>
      <td></td>
    </tr>
    <tr>
      <td>82</td>
      <td>old_select</td>
      <td></td>
    </tr>
    <tr>
      <td>83</td>
      <td>sys_symlink</td>
      <td></td>
    </tr>
    <tr>
      <td>84</td>
      <td>sys_lstat</td>
      <td></td>
    </tr>
    <tr>
      <td>85</td>
      <td>sys_readlink</td>
      <td></td>
    </tr>
    <tr>
      <td>86</td>
      <td>sys_uselib</td>
      <td></td>
    </tr>
    <tr>
      <td>87</td>
      <td>sys_swapon</td>
      <td></td>
    </tr>
    <tr>
      <td>88</td>
      <td>sys_reboot</td>
      <td></td>
    </tr>
    <tr>
      <td>89</td>
      <td>old_readdir</td>
      <td></td>
    </tr>
    <tr>
      <td>90</td>
      <td>old_mmap</td>
      <td></td>
    </tr>
    <tr>
      <td>91</td>
      <td>sys_munmap</td>
      <td></td>
    </tr>
    <tr>
      <td>92</td>
      <td>sys_truncate</td>
      <td></td>
    </tr>
    <tr>
      <td>93</td>
      <td>sys_ftruncate</td>
      <td></td>
    </tr>
    <tr>
      <td>94</td>
      <td>sys_fchmod</td>
      <td></td>
    </tr>
    <tr>
      <td>95</td>
      <td>sys_fchown16</td>
      <td></td>
    </tr>
    <tr>
      <td>96</td>
      <td>sys_getpriority</td>
      <td></td>
    </tr>
    <tr>
      <td>97</td>
      <td>sys_setpriority</td>
      <td></td>
    </tr>
    <tr>
      <td>98</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>99</td>
      <td>sys_statfs</td>
      <td></td>
    </tr>
    <tr>
      <td>100</td>
      <td>sys_fstatfs</td>
      <td></td>
    </tr>
    <tr>
      <td>101</td>
      <td>sys_ioperm</td>
      <td></td>
    </tr>
    <tr>
      <td>102</td>
      <td>sys_socketcall</td>
      <td></td>
    </tr>
    <tr>
      <td>103</td>
      <td>sys_syslog</td>
      <td></td>
    </tr>
    <tr>
      <td>104</td>
      <td>sys_setitimer</td>
      <td></td>
    </tr>
    <tr>
      <td>105</td>
      <td>sys_getitimer</td>
      <td></td>
    </tr>
    <tr>
      <td>106</td>
      <td>sys_newstat</td>
      <td></td>
    </tr>
    <tr>
      <td>107</td>
      <td>sys_newlstat</td>
      <td></td>
    </tr>
    <tr>
      <td>108</td>
      <td>sys_newfstat</td>
      <td></td>
    </tr>
    <tr>
      <td>109</td>
      <td>sys_uname</td>
      <td></td>
    </tr>
    <tr>
      <td>110</td>
      <td>sys_iopl</td>
      <td></td>
    </tr>
    <tr>
      <td>111</td>
      <td>sys_vhangup</td>
      <td></td>
    </tr>
    <tr>
      <td>112</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>113</td>
      <td>sys_vm86old</td>
      <td></td>
    </tr>
    <tr>
      <td>114</td>
      <td>sys_wait4</td>
      <td></td>
    </tr>
    <tr>
      <td>115</td>
      <td>sys_swapoff</td>
      <td></td>
    </tr>
    <tr>
      <td>116</td>
      <td>sys_sysinfo</td>
      <td></td>
    </tr>
    <tr>
      <td>117</td>
      <td>sys_ipc</td>
      <td></td>
    </tr>
    <tr>
      <td>118</td>
      <td>sys_fsync</td>
      <td></td>
    </tr>
    <tr>
      <td>119</td>
      <td>sys_sigreturn</td>
      <td></td>
    </tr>
    <tr>
      <td>120</td>
      <td>sys_clone</td>
      <td></td>
    </tr>
    <tr>
      <td>121</td>
      <td>sys_setdomainname</td>
      <td></td>
    </tr>
    <tr>
      <td>122</td>
      <td>sys_newuname</td>
      <td></td>
    </tr>
    <tr>
      <td>123</td>
      <td>sys_modify_ldt</td>
      <td></td>
    </tr>
    <tr>
      <td>124</td>
      <td>sys_adjtimex</td>
      <td></td>
    </tr>
    <tr>
      <td>125</td>
      <td>sys_mprotect</td>
      <td></td>
    </tr>
    <tr>
      <td>126</td>
      <td>sys_sigprocmask</td>
      <td></td>
    </tr>
    <tr>
      <td>127</td>
      <td>sys_create_module</td>
      <td></td>
    </tr>
    <tr>
      <td>128</td>
      <td>sys_init_module</td>
      <td></td>
    </tr>
    <tr>
      <td>129</td>
      <td>sys_delete_module</td>
      <td></td>
    </tr>
    <tr>
      <td>130</td>
      <td>sys_get_kernel_syms</td>
      <td></td>
    </tr>
    <tr>
      <td>131</td>
      <td>sys_quotactl</td>
      <td></td>
    </tr>
    <tr>
      <td>132</td>
      <td>sys_getpgid</td>
      <td></td>
    </tr>
    <tr>
      <td>133</td>
      <td>sys_fchdir</td>
      <td></td>
    </tr>
    <tr>
      <td>134</td>
      <td>sys_bdflush</td>
      <td></td>
    </tr>
    <tr>
      <td>135</td>
      <td>sys_sysfs</td>
      <td></td>
    </tr>
    <tr>
      <td>136</td>
      <td>sys_personality</td>
      <td></td>
    </tr>
    <tr>
      <td>137</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>138</td>
      <td>sys_setfsuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>139</td>
      <td>sys_setfsgid16</td>
      <td></td>
    </tr>
    <tr>
      <td>140</td>
      <td>sys_llseek</td>
      <td></td>
    </tr>
    <tr>
      <td>141</td>
      <td>sys_getdents</td>
      <td></td>
    </tr>
    <tr>
      <td>142</td>
      <td>sys_select</td>
      <td></td>
    </tr>
    <tr>
      <td>143</td>
      <td>sys_flock</td>
      <td></td>
    </tr>
    <tr>
      <td>144</td>
      <td>sys_msync</td>
      <td></td>
    </tr>
    <tr>
      <td>145</td>
      <td>sys_readv</td>
      <td></td>
    </tr>
    <tr>
      <td>146</td>
      <td>sys_writev</td>
      <td></td>
    </tr>
    <tr>
      <td>147</td>
      <td>sys_getsid</td>
      <td></td>
    </tr>
    <tr>
      <td>148</td>
      <td>sys_fdatasync</td>
      <td></td>
    </tr>
    <tr>
      <td>149</td>
      <td>sys_sysctl</td>
      <td></td>
    </tr>
    <tr>
      <td>150</td>
      <td>sys_mlock</td>
      <td></td>
    </tr>
    <tr>
      <td>151</td>
      <td>sys_munlock</td>
      <td></td>
    </tr>
    <tr>
      <td>152</td>
      <td>sys_mlockall</td>
      <td></td>
    </tr>
    <tr>
      <td>153</td>
      <td>sys_munlockall</td>
      <td></td>
    </tr>
    <tr>
      <td>154</td>
      <td>sys_sched_setparam</td>
      <td></td>
    </tr>
    <tr>
      <td>155</td>
      <td>sys_sched_getparam</td>
      <td></td>
    </tr>
    <tr>
      <td>156</td>
      <td>sys_sched_setscheduler</td>
      <td></td>
    </tr>
    <tr>
      <td>157</td>
      <td>sys_sched_getscheduler</td>
      <td></td>
    </tr>
    <tr>
      <td>158</td>
      <td>sys_sched_yield</td>
      <td></td>
    </tr>
    <tr>
      <td>159</td>
      <td>sys_sched_get_priority_max</td>
      <td></td>
    </tr>
    <tr>
      <td>160</td>
      <td>sys_sched_get_priority_min</td>
      <td></td>
    </tr>
    <tr>
      <td>161</td>
      <td>sys_sched_rr_get_interval</td>
      <td></td>
    </tr>
    <tr>
      <td>162</td>
      <td>sys_nanosleep</td>
      <td></td>
    </tr>
    <tr>
      <td>163</td>
      <td>sys_mremap</td>
      <td></td>
    </tr>
    <tr>
      <td>164</td>
      <td>sys_setresuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>165</td>
      <td>sys_getresuid16</td>
      <td></td>
    </tr>
    <tr>
      <td>166</td>
      <td>sys_vm86</td>
      <td></td>
    </tr>
    <tr>
      <td>167</td>
      <td>sys_query_module</td>
      <td></td>
    </tr>
    <tr>
      <td>168</td>
      <td>sys_poll</td>
      <td></td>
    </tr>
    <tr>
      <td>169</td>
      <td>sys_nfsservctl</td>
      <td></td>
    </tr>
    <tr>
      <td>170</td>
      <td>sys_setresgid16</td>
      <td></td>
    </tr>
    <tr>
      <td>171</td>
      <td>sys_getresgid16</td>
      <td></td>
    </tr>
    <tr>
      <td>172</td>
      <td>sys_prctl</td>
      <td></td>
    </tr>
    <tr>
      <td>173</td>
      <td>sys_rt_sigreturn</td>
      <td></td>
    </tr>
    <tr>
      <td>174</td>
      <td>sys_rt_sigaction</td>
      <td></td>
    </tr>
    <tr>
      <td>175</td>
      <td>sys_rt_sigprocmask</td>
      <td></td>
    </tr>
    <tr>
      <td>176</td>
      <td>sys_rt_sigpending</td>
      <td></td>
    </tr>
    <tr>
      <td>177</td>
      <td>sys_rt_sigtimedwait</td>
      <td></td>
    </tr>
    <tr>
      <td>178</td>
      <td>sys_rt_sigqueueinfo</td>
      <td></td>
    </tr>
    <tr>
      <td>179</td>
      <td>sys_rt_sigsuspend</td>
      <td></td>
    </tr>
    <tr>
      <td>180</td>
      <td>sys_pread</td>
      <td></td>
    </tr>
    <tr>
      <td>181</td>
      <td>sys_pwrite</td>
      <td></td>
    </tr>
    <tr>
      <td>182</td>
      <td>sys_chown16</td>
      <td></td>
    </tr>
    <tr>
      <td>183</td>
      <td>sys_getcwd</td>
      <td></td>
    </tr>
    <tr>
      <td>184</td>
      <td>sys_capget</td>
      <td></td>
    </tr>
    <tr>
      <td>185</td>
      <td>sys_capset</td>
      <td></td>
    </tr>
    <tr>
      <td>186</td>
      <td>sys_sigaltstack</td>
      <td></td>
    </tr>
    <tr>
      <td>187</td>
      <td>sys_sendfile</td>
      <td></td>
    </tr>
    <tr>
      <td>188</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>189</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>190</td>
      <td>sys_vfork</td>
      <td></td>
    </tr>
    <tr>
      <td>191</td>
      <td>sys_getrlimit</td>
      <td></td>
    </tr>
    <tr>
      <td>192</td>
      <td>sys_mmap2</td>
      <td></td>
    </tr>
    <tr>
      <td>193</td>
      <td>sys_truncate64</td>
      <td></td>
    </tr>
    <tr>
      <td>194</td>
      <td>sys_ftruncate64</td>
      <td></td>
    </tr>
    <tr>
      <td>195</td>
      <td>sys_stat64</td>
      <td></td>
    </tr>
    <tr>
      <td>196</td>
      <td>sys_lstat64</td>
      <td></td>
    </tr>
    <tr>
      <td>197</td>
      <td>sys_fstat64</td>
      <td></td>
    </tr>
    <tr>
      <td>198</td>
      <td>sys_lchown</td>
      <td></td>
    </tr>
    <tr>
      <td>199</td>
      <td>sys_getuid</td>
      <td></td>
    </tr>
    <tr>
      <td>200</td>
      <td>sys_getgid</td>
      <td></td>
    </tr>
    <tr>
      <td>201</td>
      <td>sys_geteuid</td>
      <td></td>
    </tr>
    <tr>
      <td>202</td>
      <td>sys_getegid</td>
      <td></td>
    </tr>
    <tr>
      <td>203</td>
      <td>sys_setreuid</td>
      <td></td>
    </tr>
    <tr>
      <td>204</td>
      <td>sys_setregid</td>
      <td></td>
    </tr>
    <tr>
      <td>205</td>
      <td>sys_getgroups</td>
      <td></td>
    </tr>
    <tr>
      <td>206</td>
      <td>sys_setgroups</td>
      <td></td>
    </tr>
    <tr>
      <td>207</td>
      <td>sys_fchown</td>
      <td></td>
    </tr>
    <tr>
      <td>208</td>
      <td>sys_setresuid</td>
      <td></td>
    </tr>
    <tr>
      <td>209</td>
      <td>sys_getresuid</td>
      <td></td>
    </tr>
    <tr>
      <td>210</td>
      <td>sys_setresgid</td>
      <td></td>
    </tr>
    <tr>
      <td>211</td>
      <td>sys_getresgid</td>
      <td></td>
    </tr>
    <tr>
      <td>212</td>
      <td>sys_chown</td>
      <td></td>
    </tr>
    <tr>
      <td>213</td>
      <td>sys_setuid</td>
      <td></td>
    </tr>
    <tr>
      <td>214</td>
      <td>sys_setgid</td>
      <td></td>
    </tr>
    <tr>
      <td>215</td>
      <td>sys_setfsuid</td>
      <td></td>
    </tr>
    <tr>
      <td>216</td>
      <td>sys_setfsgid</td>
      <td></td>
    </tr>
    <tr>
      <td>217</td>
      <td>sys_pivot_root</td>
      <td></td>
    </tr>
    <tr>
      <td>218</td>
      <td>sys_mincore</td>
      <td></td>
    </tr>
    <tr>
      <td>219</td>
      <td>sys_madvise</td>
      <td></td>
    </tr>
    <tr>
      <td>220</td>
      <td>sys_getdents64</td>
      <td></td>
    </tr>
    <tr>
      <td>221</td>
      <td>sys_fcntl64</td>
      <td></td>
    </tr>
    <tr>
      <td>222</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>223</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>224</td>
      <td>sys_gettid</td>
      <td></td>
    </tr>
    <tr>
      <td>225</td>
      <td>sys_readahead</td>
      <td></td>
    </tr>
    <tr>
      <td>226</td>
      <td>sys_setxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>227</td>
      <td>sys_lsetxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>228</td>
      <td>sys_fsetxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>229</td>
      <td>sys_getxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>230</td>
      <td>sys_lgetxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>231</td>
      <td>sys_fgetxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>232</td>
      <td>sys_listxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>233</td>
      <td>sys_llistxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>234</td>
      <td>sys_flistxattr</td>
      <td></td>
    </tr>
    <tr>
      <td>235</td>
      <td>sys_removexattr</td>
      <td></td>
    </tr>
    <tr>
      <td>236</td>
      <td>sys_lremovexattr</td>
      <td></td>
    </tr>
    <tr>
      <td>237</td>
      <td>sys_fremovexattr</td>
      <td></td>
    </tr>
    <tr>
      <td>238</td>
      <td>sys_tkill</td>
      <td></td>
    </tr>
    <tr>
      <td>239</td>
      <td>sys_sendfile64</td>
      <td></td>
    </tr>
    <tr>
      <td>240</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>241</td>
      <td>sys_sched_setaffinity</td>
      <td></td>
    </tr>
    <tr>
      <td>242</td>
      <td>sys_sched_getaffinity</td>
      <td></td>
    </tr>
    <tr>
      <td>243</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>244</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>245</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>246</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>247</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>248</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>249</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>250</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>251</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>252</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>253</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>254</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>255</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>256</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>257</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>258</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>259</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>260</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>261</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>262</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>263</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>264</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>265</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>266</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>267</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>268</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>269</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
    <tr>
      <td>270</td>
      <td>sys_ni_syscall</td>
      <td>nonimplemented</td>
    </tr>
  </tbody>
</table>
</body>
</html>
Note: all folders in l4linux-2.6/
*Documentation/~DocBook/kernel-hacking.tmpl:
**asmlinkage long sys_mycall(int arg)
*arch/i386/kernel/sys_i386.c:
**int sys_pipe(unsigned long _user * fildes)
**int sys_olduname(struct oldold_utsname _user * name)
**int old_select(struct sel_arg_struct _user *arg)
**int old_mmap(struct mmap_arg_struct _user *arg)
**int sys_uname(struct old_utsname _user * name)
**int sys_ipc (uint call, int first, int second, int third, void _user *ptr, long fifth)
**long sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long fd, unsigned long pgoff)
*arch/l4/kernel/arch-i386/ioport.c:
**long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
**long sys_iopl(unsigned long unused)
*arch/l4/kernel/arch-i386/ldt.c:
**int sys_modify_ldt(int func, void _user *ptr, unsigned long bytecount)
*arch/l4/kernel/arch-i386/process.c:
**int sys_fork(void)
**int sys_clone(void)
**int sys_vfork(void)
**int sys_execve(char *name, char **argv, char **envp)
**int sys_set_thread_area(struct user_desc _user *u_info)
**int sys_get_thread_area(struct user_desc _user *u_info)
*arch/l4/kernel/arch-i386/ptrace.c:
**int sys_ptrace(long request, long pid, long addr, long data)
*arch/l4/kernel/arch-i386/signal.c:
**int sys_sigaltstack(unsigned long ebx)
**int sys_rt_sigsuspend(struct pt_regs _regs)
**int sys_sigreturn(unsigned long _unused)
**int sys_rt_sigreturn(unsigned long _unused)
**int sys_sigaction(int sig, const struct old_sigaction _user *act, struct old_sigaction _user *oact)
**int sys_sigsuspend(int history0, int history1, old_sigset_t mask)
*arch/l4/kernel/arch-i386/unimpl.c:
**int sys_vm86(void)
**int sys_vm86old(void)
*fs/aio.c:
**long sys_io_setup(unsigned nr_events, aio_context_t _user *ctxp)
**long sys_io_destroy(aio_context_t ctx)
**long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb _user * _user *iocbpp)
**long sys_io_cancel(aio_context_t ctx_id, struct iocb _user *iocb, struct io_event _user *result)
**long sys_io_getevents(aio_context_t ctx_id, long min_nr, long nr, struct io_event _user *events, struct timespec _user *timeout)
*fs/buffer.c:
**long sys_sync(void)
**long sys_fsync(unsigned int fd)
**long sys_fdatasync(unsigned int fd)
**long sys_bdflush(int func, long data)
*fs/dcache.c:
**long sys_getcwd(char _user *buf, unsigned long size)
*fs/dcookies.c:
**long sys_lookup_dcookie(u64 cookie64, char _user * buf, size_t len)
*fs/eventpoll.c:
**long sys_epoll_ctl(int epfd, int op, int fd, struct epoll_event _user *event)
**long sys_epoll_create(int size)
**long sys_epoll_wait(int epfd, struct epoll_event _user *events, int maxevents, int timeout)
*fs/exec.c:
**long sys_uselib(const char _user * library)
*fs/fcntl.c:
**long sys_dup2(unsigned int oldfd, unsigned int newfd)
**long sys_dup(unsigned int fildes)
**long sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
**long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
*fs/filesystems.c:
**long sys_sysfs(int option, unsigned long arg1, unsigned long arg2)
*fs/ioctl.c:
**long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
*fs/locks.c:
**long sys_flock(unsigned int fd, unsigned int cmd)
*fs/namei.c:
**long sys_mknod(const char _user * filename, int mode, unsigned dev)
**long sys_mkdir(const char _user * pathname, int mode)
**long sys_rmdir(const char _user * pathname)
**long sys_unlink(const char _user * pathname)
**long sys_symlink(const char _user * oldname, const char _user * newname)
**long sys_link(const char _user * oldname, const char _user * newname)
**long sys_rename(const char _user * oldname, const char _user * newname)
*fs/namespace.c:
**long sys_umount(char _user * name, int flags)
**long sys_oldumount(char _user * name)
**long sys_mount(char _user * dev_name, char _user * dir_name, char _user * type, unsigned long flags, void _user * data)
**long sys_pivot_root(const char _user *new_root, const char _user *put_old)
*fs/nfsctl.c:
**sys_nfsservctl(int cmd, struct nfsctl_arg _user *arg, void _user *res)
*fs/open.c:
**long sys_statfs(const char _user * path, struct statfs _user * buf)
**long sys_statfs64(const char _user *path, size_t sz, struct statfs64 _user *buf)
**long sys_fstatfs(unsigned int fd, struct statfs _user * buf)
**long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 _user *buf)
**long sys_truncate(const char _user * path, unsigned long length)
**long sys_ftruncate(unsigned int fd, unsigned long length)
**long sys_truncate64(const char _user * path, loff_t length)
**long sys_ftruncate64(unsigned int fd, loff_t length)
**long sys_utime(char _user * filename, struct utimbuf _user * times)
**long sys_utimes(char _user * filename, struct timeval _user * utimes)
**long sys_access(const char _user * filename, int mode)
**long sys_chdir(const char _user * filename)
**long sys_fchdir(unsigned int fd)
**long sys_chroot(const char _user * filename)
**long sys_fchmod(unsigned int fd, mode_t mode)
**long sys_chmod(const char _user * filename, mode_t mode)
**long sys_chown(const char _user * filename, uid_t user, gid_t group)
**long sys_lchown(const char _user * filename, uid_t user, gid_t group)
**long sys_fchown(unsigned int fd, uid_t user, gid_t group)
**long sys_open(const char _user * filename, int flags, int mode)
**long sys_creat(const char _user * pathname, int mode)
**long sys_close(unsigned int fd)
**long sys_vhangup(void)
*fs/quota.c:
**long sys_quotactl(unsigned int cmd, const char _user *special, qid_t id, void _user *addr)
*fs/read_write.c:
**ssize_t sys_readv(unsigned long fd, const struct iovec _user *vec, unsigned long vlen)
**size_t sys_writev(unsigned long fd, const struct iovec _user *vec, unsigned long vlen)
**off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
**long sys_llseek(unsigned int fd, unsigned long offset_high, unsigned long offset_low, loff_t _user * result, unsigned int origin)
**ssize_t sys_read(unsigned int fd, char _user * buf, size_t count)
**ssize_t sys_write(unsigned int fd, const char _user * buf, size_t count)
**ssize_t sys_pread64(unsigned int fd, char _user *buf, size_t count, loff_t pos)
**ssize_t sys_pwrite64(unsigned int fd, const char _user *buf, size_t count, loff_t pos)
**ssize_t sys_sendfile(int out_fd, int in_fd, off_t _user *offset, size_t count)
**ssize_t sys_sendfile64(int out_fd, int in_fd, loff_t _user *offset, size_t count)
*fs/readdir.c:
**long old_readdir(unsigned int fd, struct old_linux_dirent _user * dirent, unsigned int count)
**long sys_getdents(unsigned int fd, struct linux_dirent _user * dirent, unsigned int count)
**long sys_getdents64(unsigned int fd, struct linux_dirent64 _user * dirent, unsigned int count)
*fs/select.c:
**long sys_poll(struct pollfd _user * ufds, unsigned int nfds, long timeout)
**long sys_select(int n, fd_set _user *inp, fd_set _user *outp, fd_set _user *exp, struct timeval _user *tvp)
*fs/stat.c:
**long sys_stat(char _user * filename, struct _old_kernel_stat _user * statbuf)
**long sys_lstat(char _user * filename, struct _old_kernel_stat _user * statbuf)
**long sys_fstat(unsigned int fd, struct _old_kernel_stat _user * statbuf)
**long sys_newstat(char _user * filename, struct stat _user * statbuf)
**long sys_newlstat(char _user * filename, struct stat _user * statbuf)
**long sys_newfstat(unsigned int fd, struct stat _user * statbuf)
**long sys_readlink(const char _user * path, char _user * buf, int bufsiz)
**long sys_stat64(char _user * filename, struct stat64 _user * statbuf)
**long sys_lstat64(char _user * filename, struct stat64 _user * statbuf)
**long sys_fstat64(unsigned long fd, struct stat64 _user * statbuf)
*fs/super.c:
**long sys_ustat(unsigned dev, struct ustat _user * ubuf)
*fs/xattr.c:
**long sys_setxattr(char _user *path, char _user *name, void _user *value, size_t size, int flags)
**long sys_lsetxattr(char _user *path, char _user *name, void _user *value, size_t size, int flags)
**long sys_fsetxattr(int fd, char _user *name, void _user *value, size_t size, int flags)
**ssize_t sys_getxattr(char _user *path, char _user *name, void _user *value, size_t size)
**ssize_t sys_lgetxattr(char _user *path, char _user *name, void _user *value, size_t size)
**ssize_t sys_fgetxattr(int fd, char _user *name, void _user *value, size_t size)
**ssize_t sys_listxattr(char _user *path, char _user *list, size_t size)
**ssize_t sys_llistxattr(char _user *path, char _user *list, size_t size)
**ssize_t sys_flistxattr(int fd, char _user *list, size_t size)
**long sys_removexattr(char _user *path, char _user *name)
**long sys_lremovexattr(char _user *path, char _user *name)
**long sys_fremovexattr(int fd, char _user *name)
*ipc/mqueue.c:
**long sys_mq_open(const char _user *u_name, int oflag, mode_t mode, int oflag, mode_t mode, struct mq_attr _user *u_attr)
**long sys_mq_unlink(const char _user *u_name)
**long sys_mq_timedsend(mqd_t mqdes, const char _user *u_msg_ptr, size_t msg_len, unsigned int msg_prio, const struct timespec _user *u_abs_timeout)
**ssize_t sys_mq_timedreceive(mqd_t mqdes, char _user *u_msg_ptr, size_t msg_len, unsigned int _user *u_msg_prio, const struct timespec _user *u_abs_timeout)
**long sys_mq_notify(mqd_t mqdes, const struct sigevent _user *u_notification)
**long sys_mq_getsetattr(mqd_t mqdes, const struct mq_attr _user *u_mqstat, struct mq_attr _user *u_omqstat)
*kernel/acct.c:
**long sys_acct(const char _user *name)
*kernel/capability.c:
**long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
**long sys_capset(cap_user_header_t header, const cap_user_data_t data)
*kernel/exec_domain.c:
**long sys_personality(u_long personality)
*kernel/exit.c:
**long sys_exit(int error_code)
**void sys_exit_group(int error_code)
**long sys_waitid(int which, pid_t pid, struct siginfo _user *infop, int options, struct rusage _user *ru)
**long sys_wait4(pid_t pid, int _user *stat_addr, int options, struct rusage _user *ru)
**long sys_waitpid(pid_t pid, int _user *stat_addr, int options)
*kernel/fork.c:
**long sys_set_tid_address(int _user *tidptr)
*kernel/futex.c:
**long sys_futex(u32 _user *uaddr, int op, int val, struct timespec _user *utime, u32 _user *uaddr2, int val3)
*kernel/itimer.c:
**long sys_getitimer(int which, struct itimerval _user *value)
**long sys_setitimer(int which, struct itimerval _user *value, struct itimerval _user *ovalue)
*kernel/module.c:
**long sys_init_module(void _user *umod, unsigned long len, const char _user *uargs)
**long sys_delete_module(const char _user *name_user, unsigned int flags)
*kernel/posix-timers.c:
**long sys_timer_create(clockid_t which_clock, struct sigevent _user *timer_event_spec, timer_t _user * created_timer_id)
**long sys_timer_settime(timer_t timer_id, int flags, const struct itimerspec _user *new_setting, struct itimerspec _user *old_setting)
**long sys_timer_gettime(timer_t timer_id, struct itimerspec _user *setting)
**long sys_timer_getoverrun(timer_t timer_id)
**long sys_timer_delete(timer_t timer_id)
**long sys_clock_gettime(clockid_t which_clock, struct timespec _user *tp)
**long sys_clock_settime(clockid_t which_clock, const struct timespec _user *tp)
**long sys_clock_getres(clockid_t which_clock, struct timespec _user *tp)
**long sys_clock_nanosleep(clockid_t which_clock, int flags, const struct timespec _user *rqtp, struct timespec _user *rmtp)
*kernel/printk.c:
**long sys_syslog(int type, char _user * buf, int len)
*kernel/sched.c:
**long sys_nice(int increment)
**long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param _user *param)
**long sys_sched_setparam(pid_t pid, struct sched_param _user *param)
**long sys_sched_getscheduler(pid_t pid)
**long sys_sched_getparam(pid_t pid, struct sched_param _user *param)
**long sys_sched_setaffinity(pid_t pid, unsigned int len, unsigned long _user *user_mask_ptr)
**long sys_sched_getaffinity(pid_t pid, unsigned int len, unsigned long _user *user_mask_ptr)
**long sys_sched_yield(void)
**long sys_sched_get_priority_max(int policy)
**long sys_sched_get_priority_min(int policy)
**long sys_sched_rr_get_interval(pid_t pid, struct timespec _user *interval)
*kernel/signal.c:
**long sys_tkill(int pid, int sig)
**long sys_rt_sigaction(int sig, const struct sigaction _user *act, struct sigaction _user *oact, size_t sigsetsize)
**long sys_rt_sigprocmask(int how, sigset_t _user *set, sigset_t _user *oset, size_t sigsetsize)
**long sys_rt_sigpending(sigset_t _user *set, size_t sigsetsize)
**long sys_rt_sigtimedwait(const sigset_t _user *uthese, siginfo_t _user *uinfo, const struct timespec _user *uts, size_t sigsetsize)
**long sys_rt_sigqueueinfo(int pid, int sig, siginfo_t _user *uinfo)
**long sys_sigprocmask(int how, old_sigset_t _user *set, old_sigset_t _user *oset)
**long sys_restart_syscall(void)
**long sys_tgkill(int tgid, int pid, int sig)
**long sys_pause(void)
**long sys_kill(int pid, int sig)
**unsigned long sys_signal(int sig, _sighandler_t handler)
**long sys_sgetmask(void)
**long sys_ssetmask(int newmask)
**long sys_sigpending(old_sigset_t _user *set)
*kernel/sys.c:
**long sys_setpriority(int which, int who, int niceval)
**long sys_getpriority(int which, int who)
**long sys_reboot(int magic1, int magic2, unsigned int cmd, void _user * arg)
**long sys_setregid(gid_t rgid, gid_t egid)
**long sys_setgid(gid_t gid)
**long sys_setreuid(uid_t ruid, uid_t euid)
**long sys_setuid(uid_t uid)
**long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
**long sys_getresuid(uid_t _user *ruid, uid_t _user *euid, uid_t _user *suid)
**long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
**long sys_getresgid(gid_t _user *rgid, gid_t _user *egid, gid_t _user *sgid)
**long sys_setfsuid(uid_t uid)
**long sys_setfsgid(gid_t gid)
**long sys_times(struct tms _user * tbuf)
**long sys_setpgid(pid_t pid, pid_t pgid)
**long sys_getpgid(pid_t pid)
**long sys_getpgrp(void)
**long sys_getsid(pid_t pid)
**long sys_setsid(void)
**long sys_getgroups(int gidsetsize, gid_t _user *grouplist)
**long sys_setgroups(int gidsetsize, gid_t _user *grouplist)
**long sys_newuname(struct new_utsname _user * name)
**long sys_sethostname(char _user *name, int len)
**long sys_setdomainname(char _user *name, int len)
**long sys_getrlimit(unsigned int resource, struct rlimit _user *rlim)
**long sys_old_getrlimit(unsigned int resource, struct rlimit _user *rlim)
**long sys_setrlimit(unsigned int resource, struct rlimit _user *rlim)
**long sys_getrusage(int who, struct rusage _user *ru)
**long sys_umask(int mask)
**long sys_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)
*kernel/sys_ni.c:
**long sys_ni_syscall(void)
*kernel/sysctl.c:
**long sys_sysctl(struct _sysctl_args _user *args)
*kernel/time.c:
**long sys_time(time_t _user * tloc)
**long sys_stime(time_t _user *tptr)
**long sys_gettimeofday(struct timeval _user *tv, struct timezone _user *tz)
**long sys_settimeofday(struct timeval _user *tv, struct timezone _user *tz)
**long sys_adjtimex(struct timex _user *txc_p)
*kernel/timer.c:
**unsigned long sys_alarm(unsigned int seconds)
**long sys_getpid(void)
**long sys_getppid(void)
**long sys_getuid(void)
**long sys_geteuid(void)
**long sys_getgid(void)
**long sys_getegid(void)
**long sys_gettid(void)
**long sys_nanosleep(struct timespec _user *rqtp, struct timespec _user *rmtp)
**long sys_sysinfo(struct sysinfo _user *info)
*kernel/uid16.c:
**long sys_chown16(const char _user * filename, old_uid_t user, old_gid_t group)
**long sys_lchown16(const char _user * filename, old_uid_t user, old_gid_t group)
**long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
**long sys_setregid16(old_gid_t rgid, old_gid_t egid)
**long sys_setgid16(old_gid_t gid)
**long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
**long sys_setuid16(old_uid_t uid)
**long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
**long sys_getresuid16(old_uid_t _user *ruid, old_uid_t _user *euid, old_uid_t _user *suid)
**long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid)
**long sys_getresgid16(old_gid_t _user *rgid, old_gid_t _user *egid, old_gid_t _user *sgid)
**long sys_setfsuid16(old_uid_t uid)
**long sys_setfsgid16(old_gid_t gid)
**long sys_getgroups16(int gidsetsize, old_gid_t _user *grouplist)
**long sys_setgroups16(int gidsetsize, old_gid_t _user *grouplist)
**long sys_getuid16(void)
**long sys_geteuid16(void)
**long sys_getgid16(void)
**long sys_getegid16(void)
*mm/fadvise.c:
**long sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice)
**long sys_fadvise64(int fd, loff_t offset, size_t len, int advice)
*mm/filemap.c:
**ssize_t sys_readahead(int fd, loff_t offset, size_t count)
*mm/fremap.c:
**long sys_remap_file_pages(unsigned long start, unsigned long size, unsigned long _prot, unsigned long pgoff, unsigned long flags)
*mm/madvise.c:
**long sys_madvise(unsigned long start, size_t len_in, int behavior)
*mm/mempolicy.c:
**long sys_mbind(unsigned long start, unsigned long len, unsigned long mode, unsigned long _user *nmask, unsigned long maxnode, unsigned flags)
**long sys_set_mempolicy(int mode, unsigned long _user *nmask, unsigned long maxnode)
**long sys_get_mempolicy(int _user *policy, unsigned long _user *nmask, unsigned long maxnode, unsigned long addr, unsigned long flags
*mm/mincore.c:
**long sys_mincore(unsigned long start, size_t len, unsigned char _user * vec)
*mm/mlock.c:
**long sys_mlock(unsigned long start, size_t len)
**long sys_munlock(unsigned long start, size_t len)
**long sys_mlockall(int flags)
**long sys_munlockall(void)
*mm/mmap.c:
**unsigned long sys_brk(unsigned long brk)
**long sys_munmap(unsigned long addr, size_t len)
*mm/mremap.c:
**unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr)
*mm/msync.c:
**long sys_msync(unsigned long start, size_t len, int flags)
*mm/nommu.c:
**unsigned long sys_brk(unsigned long brk)
**long sys_munmap(unsigned long addr, size_t len)
*mm/mprotect.c:
**long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
*mm/swapfile.c:
**long sys_swapoff(const char _user * specialfile)
**long sys_swapon(const char _user * specialfile, int swap_flags)
*security/keys/keyctl.c:
**long sys_add_key(const char _user *_type, const char _user *_description, const void _user *_payload, size_t plen, key_serial_t ringid)
**long sys_request_key(const char _user *_type, const char _user *_description, const char _user *_callout_info, key_serial_t destringid)
**long sys_keyctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)
// // ''Plugin Name:'' ListWithTags
// // ''Author:'' PaulPetterson
// // ''Purpose:'' extends the TiddlyWiki list macro with support for listing
// // tiddlers with specified tags
// // ''Parameters:'' 1..N: tag selection criteria - 
// // //tag//, AND, OR, NOT, and/or Parentheses
// // ''Usage:'' insert <list withTags systemConfig OR systemTiddlers> to 
// // list out all tiddlers with a systemConfig or systemTiddlers tag
// // ''Notes:'' it must be a valid boolean expression, an invalid expression 
// // will return a macro error. Follows standard operator precedence so
// // use parentheses to disambiguate the criteria. You can substitute 
// // the JavaScript standard symbols &&, ||, and ! for AND, OR, and NOT.
// // ''Examples:'' <list withTags project and (urgent or important)> - 
// // will list all tiddlers with a project tag and either 
// // an urgent or important tag.

config.macros.list.withTags = {}
config.macros.list.withTags.handler = function(params)
{
 var results = [];
 if ( !params || !params[1] )
 return config.macros.list.all.handler(params);
 
 // build us a regex of all our tags as a big-old regex that 
 // OR's the tags together (tag1|tag2|tag3...)
 var tags = store.getTags();
 if ( tags.length == 0 ) return results ;
 var exp = "(" + tags.join("|") + ")" ;
 exp = exp.replace( /(,[\d]+)/g, "" ) ;

 var regex = new RegExp( exp, "ig" );

 // build us string such that an expression that looks like this:
 // tag1 AND tag2 OR NOT tag3
 // turns into :
 // /tag1/.test(...) && /tag2/.test(...) || ! /tag2/.test(...)
 var cond = params.slice(1).join(" ");
 cond = cond.replace( regex, "/$1/.test( tiddlerTags )" );
 cond = cond.replace( /\sand\s/ig, " && " ) ;
 cond = cond.replace( /\sor\s/ig, " || " ) ;
 cond = cond.replace( /\snot\s/ig, " ! " ) ;
//displayMessage( "condition='" + cond + "'" );
 // look through the tiddlers, make a string of the tags in the tiddler
 // and eval the 'cond' string we made against that string - 
 // if it's TRUE then the tiddler qualifies!
 
 for( var t in store.tiddlers ) {
 var tiddler = store.tiddlers[t];
 var tiddlerTags = tiddler.tags?tiddler.tags.join():"" ;
 try {
 if ( eval( cond ) ) results.push( tiddler );
 } catch( e ) {
//displayMessage( "Exception = '" + e + "'" ) ;
 }
 }
 results.sort(function (a,b) {
 if(a["title"] == b["title"]) return(0); 
 else return (a["title"] < b["title"]) ? -1 : +1; 
 });
 return results;
}
[[News]]
[[People]]
[[Publications]]
[[Research]]
[[GT Honeynet|The Georgia Tech Honeynet]]
[[Undergraduate Research]]
[[Useful Tools]]
[[About]]
!__1.0 Honeynet Deployments__
!!1.1 Current technologies deployed.
We are running a GEN II Honeynet with a variety of ~OSs of interest. We continue to run mostly high interaction honeypots. Here is the architecture of our current setup:

[img[images/arch.gif]]

We are using the honeywall "roo" CDROM and conduct all monitoring of the honeynet on an analysis box that is separate from the honeywall (bridge) machine. We continue to deploy a Darknet within our honeynet and have expanded the range of the darknet. Our focus is on using the honeynet as an intrusion detection tool to help secure the campus network. We have also been developing visualization tools in order to more efficiently and thoroughly analyze the data we are collecting.
!!1.2 Lessons learned from the technology, what you like about it.
*The technology is very flexible. There are many different scenarios that can be set up with the technology.
*The technology provides a sound infrastructure for logging information. We feel that the bridge logging mechanism is reasonably secure and gives us confidence in deploying a honeynet on a campus network. We have logged all packets to and from the honeypots for over three years now, which shows that the technology is working well.
!!1.3 Lessons learned from the technology, what is lacking, what you would like to see improved.
*Would like to see the analysis tools mature. A lot of work has gone into the analysis tools, and we expect that work will pay off soon. Currently, we still use ethereal and homegrown tools for analysis.
*Need some better anonymization tools in order to share data.
*Need ability to backup data. Currently, we sync our data with another machine; perhaps this ability should be added to the honeywall.
!__2.0 Findings__
!!2.1 Number and type of systems compromised during six month period.
We have not had any compromises during this period.
!!2.2 Highlight any unique findings, attacks, tools, or methods.
We have seen an increase in ssh attacks. We think these are password brute forcing attacks, but they have not been successful.

We had approximately 75 unique machines on the Georgia Tech campus that attempted to connect to the honeynet during this period. (These machines are assumed to be compromised or in use by a malicious person.)
!!2.3 Any trends seen in the past six months.
*Increased ssh activity on port 22.
*Continue to see pop-up spam messages.
*Less activity seen from within Georgia Tech campus.
!!2.4 Document data analysis tools and methods being used.
*We currently use perl scripts as our primary method of generating daily reports (sent to Office of Information Technology) of Georgia Tech Hosts that have attempted to connect to the honeynet.
*We use use ethereal with various filters in order to investigate details in our logs.
*We have developed two visualization tools that we are currently using to help monitor the honeynet.
*We have continued development of several perl scripts to parse through the logs. In addition to trend plots, we also use the scripts for daily summary information.
*We use the NETI@home http://www.neti.gatech.edu code to run on previously logged pcap files for flow based analysis.
!!2.5 For data analysis what tools work well, and what still needs to be developed.
We have come up with some different visualizations that are beginning to work well for analysis. Some plots that are useful include source IP to destination port, highlighting ~NOOPs in binary streams, and scrolling text rainfall. We are just beginning to develop these tools, and they need continued development

One need we have is the ability to ensure that all packets are accounted for during a given day. It would be nice to know exactly what each packet is, group similar packets together, and sort out packets that have already been processed. This way we can more quickly ensure that all activity has been processed.
!__3.0 Misc. Activities__
!!3.1 Presenting at conferences
*Julian Grizzard presented a presentation on "Flow Based Observations on NETI@home and Honeynet Data" at the 6th IEEE IAW.
*Greg Conti presented a presentation on "~Real-Time and Forensic Network Data Analysis Using Animated and Coordinate Visualization" at the 6th IEEE IAW.
!!3.2 Developing, testing or releasing code
We have been developing visualization tools and anonymization tools. These tools are not yet ready for release.
!!3.3 Publication of papers
The following papers have been published in the IEEE Information Assurance Workshop proceedings:
*"~Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization" by Sven Krasser, Gregory Conti, Julian Grizzard, Jeff Gribschaw, and Henry Owen.
*"Flow Based Observations from NETI@home and Honeynet Data" by Julian Grizzard, Charles R. Simpson, Jr., Sven Krasser, George Riley, and Henry Owen.
The following paper has been published at the Symposium on Usable Privacy and Security (SOUPS); July 2005:
*"Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" by G. Conti, M. Ahamad and J. Stasko.
The following paper has been published in the proceedings of the Workshop on Visualization for Computer Security:
*"Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries" by G. Conti, J. Grizzard, M. Ahamad, and H. Owen.
!!3.4 Involvement in ~SotM challenges.
We have not participated.
!!3.5 Other
We have been preparing to turn the lead of the honeynet over to Chris Lee. We are updating our continuity file in order to ease this transition. Julian Grizzard is the current lead and expects to graduate in May 2006. Chris will be slowly transitioning over to the new lead. We highly recommend maintaining a continuity file for any organization running a honeynet as much can be learned from previous leadership.
!__4.0 Organizational__
!!4.1 Changes in your structure of your organization.
We will be transitioning over to a new lead. Chris Lee will transistion to the new lead of the Georgia Tech honeynet by the end of this next period.
!__5.0 Lessons Learned__
!!5.1 What positive things can you share with the community, so they can replicate your success.
The honeynet has definitely proven useful as a tool to help secure a network. We recommend that others use a honeynet to help secure the network as any activity that is picked by a honeynet is usually malicious. We have been reporting malicious machines to the Georgia Tech Information Security team for over three years now and have found a large number of machines that have been compromised.

The data set provided by the honeynet is a great source to test new research ideas. It is difficult to get real data to test new ideas. The honeynet has proven very useful in this area.
!!5.2 What mistakes can you share with the community, so they don't make the same mistakes.
Although we have tried to document all of our findings as they have happened, some documentation and knowledge has been lost. We highly recommend that other people in the community set up a good documentation system early on in their deployment so that past findings and analysis are not lost.
!__6.0 Goals__
!!6.1 Plans/Goals for next six months.
*Develop anonymization tools so that data can be released to the community.
*Continue visualization work and begin to release some tools to the community.
*Capture more compromises.
*Develop new uses of a honeynet to help secure the campus network.
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <title>Network Security and Architecture Laboratory</title>

<link rel="stylesheet" type="text/css" href="http://www.ece.gatech.edu/research/labs/nsa/nsa.css">
</head>
<body>

<style type='text/css'>
H3 {
	font: bold 12pt serif;
}
H2 {
	text-decoration: underline;
}
</style>
<h1>Honeynet Report (March 15, 2005 – March 18, 2007)</h1>
<h2>1.0 DEPLOYMENTS</h2>

<h3>1.1  Current technologies deployed. Describe anything that you have
     deployed that is collecting information, including honeynets,
     client honeypots, honeyd, mwcollect, or anything else honeypot
     related.</h3>
<p>
	We have expanded our operations and are currently running three honeynets (each with different technologies) and experimenting with a fourth technology.  We are still running our wonderful GEN II Honeynet with high-interaction honeypots and nepenthes sensors.  We've also started a Global Distributed Honeynet.  Through relationships with the distributed honeynet guys, William McCammon and Albert Gonzalez, I've started a node on their network.  Lastly, we are trying to start a dynamic honeyfarm using a "live" version of the honeymole technology.  Our honeyfarm resembles Xuxian Jiang's Callapsar project.  
</p>
<p>
	We still haven't figured out how to use sebek correctly, so we use trojaned binaries, which seems to work pretty well.  We still use our own custom-made reporting program similar to honeysnap that we call honey reports.  We still use the Flow Analysis Database for trend analysis and informational queries. 
</p>
<p>
	Our main goal this year was to ease the maintenance of the honeynet (so I can do my thesis work), and to expand our IP visibility through the use of distributed honeynet technologies.  During the winter sometime, we had to move our honeynet and was down for over a month, our longest (by many orders of magnitude) outage since our honeynet started 5 years ago.
</p>

<h3>1.2  Activity timeline: Highlight attacks, compromises, and interesting
     information collected.</h3>

<p>
The records for reconstructing the timeline are offline at the time of this report.  Please tune in later.
</p>

<h2>2.0 FINDINGS</h2>
<h3>2.1  Highlight any unique findings, attacks, tools, or methods.</h3>
<p>
Nothing terribly exciting that we can recall.
</p>


<h3>2.2  Any trends seen in the past six months.</h3>
<p>
</p>

<h4>HTTP</h4>
<img src='images/honeynet/2007-03/http.png' width='600' />
<br/>
Massive Mambo scan a few weeks back.
<h4>SMB</h4>
<img src='images/honeynet/2007-03/smb.png' width='600' />
<br/>
We had an on campus attack last year and OIT opened the firewall to the honeynet this year allowing all the background traffic to come through.
<h4>SSH</h4>
<img src='images/honeynet/2007-03/ssh.png' width='600' />
<br/>
Stayin' strong, all day long.
<h4>1337</h4>

<img src='images/honeynet/2007-03/leet.png' width='600' />
<br/>
We're looking into this, but there are some interesting scans on this port.

<h3>2.3  What are you using for data analysis?  What is working well, and what is missing, what data analysis functionality would you like
to see developed?
</h3>
<p>
We are using our own custom tools for data analysis: HoneyReport, TrojanSSH, Flowtag.  Please see Section 4 for more details on our custom tools.
</p>

<h2>3.0 LESSONS LEARNED</h2>
<h3>3.1  What new positive things can you share with the community, so
     they can replicate your success?</h3>
<p>
We are continuing our work on visualization techniques to aid in honeynet maintenance, attack response, and data trend analysis.  To this work we have added an emphasis on post attack forensics and are developing tools that extend the functionality of existing forensic toolkits by providing more information about the events that have transpired on a honeypot.
</p>

<h3>3.2  What new mistakes can you share with the community, so they
     don't make the same mistakes?</h3>
<p>
<ol>
<li><b>Documentation</b></li>
Current documentation of our honeynet is stale, even our webpage is egregiously out-dated.  We need to develop standard procedures and protocols that are executed.

<li><b>Transition</b></li>
As our honeynet is deployed and maintained by graduate students, there exists a problem with transition in our environment.  When one graduate student ceases to act as the primary administrator of the the honeynet the next graduate student to take on the responsibility should be acclimated to the honeynet environment and community.  We are in the process of developing guidelines that should be followed when the honeynet enters this period of transition.  These are necessary to ensure continued existence of our honeynet.
<li><b>Visibility</b></li>
Our honeynet has occupied the same IP range for some time.  This leads us to believe that there is a good chance of our honeynet being fingerprinted.  In an effort to gain more interesting attacks, we have started participating in GDH, the Distributed Honeynets project, and we are using Honeymole.  Also of interest in the Lawnshark project that will be described more in section 4.
</ol>
</p>

<h3>3.3  Are there any research ideas you would like to see developed?</h3>

<p>
More HoneyClient technologies and data analysis techniques.
</p>


<h2>4.0 NEW TOOLS</h2>
<h3>4.1  What new tools or technology are you working on?</h3>
<div style='padding-left:1em;padding-right:1em;font-style: italic;'>
Current tools for forensic analysis require many hours to understand novel attacks, causing reports to be terse and untimely. We apply visual filtering and tagging of flows in a novel way to address the current limitations of post-attack analysis, reporting, and sharing. We discuss the benefits of visual filtering and tagging of network flows and introduce <a href='http://chrislee.dhs.org/pages/research/projects.html#flowtag'>FlowTag</a> as our prototype tool for the Honeynet researchers. We argue that online collaborative analysis benefits security researchers by organizing attacks, collaborating on analysis, forming attack databases for trend analysis, and in promoting new security research areas. Lastly, we show three attacks on the Georgia Tech Honeynet and describe the analysis process using FlowTag.</div>
<p>
Honeymole allows a computer to act as a front while acting only to foward traffic back and forth between the honeynet and the attacker.  This is done by using an encrypted tunnel to encapsulate ethernet, much like the distributed-honeynets project.  Chris Lee, of the Georgia Tech Honeynet, originated the idea to place honeymole onto a live CD, such that participants would only need to insert the CD during off-usage hours and traffic would be forwarded to the honeynet.  Specifically, for each mole, a virtual machine (honeypot) would be allocated at the honeynet honeymole server to actually participate in any in bound connections to the mole (because the mole forwards the traffic over the VPN to the honeypot).  This system allows rapid deployment into many IP spaces, highly-flexible allocation of vulnerable virtual machines, and centralized data collection and control.

</p>
<p>
The second project builds upon a previously proposed project, Live Honeymole, to capture attacks happening on and within the Georgia Tech LAWN IP space.  The monitors will receive a Lawn IP and will use a special login provided by OIT (so they can track the nodes and they won't expire once I graduate or change my password), and redirect any traffic directed toward their IP to the honeynet using the Honeymole client.  Note that they will not be in promiscuous mode and will not see other people's traffic.  Since they are forwarding all traffic to the honeynet, the sensors cannot be accessed or remotely compromised.   Since the LAWN is already considered outside the departmental IP space, we believe that no special mitigation mechanisms, outside our normal rate limiting, is required to reduce the risk to the network.
</p>

<h2>5.0 PAPERS AND PRESENTATIONS</h2>
<h3>5.1  Are you working any papers to be published, such as KYE or academic
     papers?</h3>
<p>None that we can talk about right now.</p>

<h3>5.2  Are you looking for any data or people to help with your papers?</h3>
<p>We would be happy to discuss ideas for possible publications.</p>

<h3>5.3  Where did you publish/present honeypot-related material?</h3>
<p>Christopher P. Lee presented "HoneyNet Technologies" at NoVA Sec in March.</p>
<p>
Published Paper:<br/>
C. P. Lee and J. A. Copeland. Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers. In Proceedings of the 3rd international Workshop on Visualization For Computer Security (Alexandria, Virginia, USA, November 03 - 03, 2006). VizSEC '06. ACM Press, New York, NY, 103-108. DOI= http://doi.acm.org/10.1145/1179576.1179597
</p>
<p>
Accepted Paper:<br/>
K. Fairbanks, C. P. Lee, Y. Xia, H. Owen III.
TimeKeeper: A Metadata Archiving Method for Honeypot Forensics.
Proceedings of the 2007 IEEE Workshop on Information Assurance.
United States Military Academy, West Point, NY 20-22 June 2007.
</p>

<h2>6.0 ORGANIZATIONAL</h2>

<h3>6.1  Changes in the structure of your organization.</h3>
<p>
Kevin Fairbanks will be transitioning to act as the lead of the Georgia Tech HoneyNet while Christopher Lee will be transitioning to a lesser role. Currently Christopher Lee is the primary honeynet administrator and Kevin Fairbanks is the assistant honeynet administrator and both are responsible for daily maintenance, status reports (including this one), communicating with other alliance members, recruiting researchers, and sharing results.  Julian Grizzard has graduated.
</p>

<h2>7.0 GOALS</h2>
<ol>
   <li>Automate Drive imaging</li>
   <li>Develop HoneyNet transition protocols</li>
   <li>Develop HoneyNet documentation protocols</li>

   <li>Further explore forensic tool development</li>
   <li>Deploy LawnShark Technology</li>
   <li>Deploy Live HoneyMole Technology</li>
</ol>

<h3>7.1  Which of your goals did you meet for the last six months?</h3>
None.

<h3>7.2  Which of your goals did you not meet for the last six months?</h3>
<ul>

  <li>We did not release any tools that we developed since the last report.</li>
  <li>We did not expand our low-interaction honeypot deployment</li>
</ul>

<h3>7.3  Goals for the next six months</h3>
<ol>
  <li>Better documentation practices</li>
  <li>Rapid archiving and deployment of high-interaction honeypot images</li>

  <li>Live Honeymole with SSL Redirection</li>
  <li>Getting Chris closer to graduation</li>
</ol>

</body>
</html>

/%
!__Research__
%/
!__Publications__
*Michael Nowatkowski and Henry Owen III, "Certificate Revocation List Distribution in ~VANETs Using Most Pieces Broadcast," Accepted, IEEE ~SoutheastCon 2010, ~Charlotte-Concord, NC.
*Micheal Nowatkowski and Henry Owen III, "The Effects of Limited Lifetime Pseudonyms on Certificate Revocation List Size in VANETS," Accepted, IEEE ~SoutheastCon 2010, ~Charlotte-Concord, NC.
*M. Nowatkowski, J. Wolfgang, C. ~McManus, and H. Owen III, "[[Cooperative Certificate Revocation List Distribution Methods in VANETs|papers/Nowatkowski_CooperativeMethodsFinal.pdf]]," in ~AdHocNets Niagara Falls, Ontario, Canada: ICST, 2009.
Today is <<date link today "DDD, MMM DDth, YYYY">> 


!__Current Events__
''[[Michael  Nowatkowski]] accepted at ~SouthEastCon 2010!''
*"Certificate Revocation List Distribution in ~VANETs Using Most Pieces Broadcast"
*"The Effects of Limited Lifetime Pseudonyms on Certificate Revocation List Size in VANETS"

''Undergraduate Researcher Sean Sanders accepted at ~SouthEastCon2010!''
*"Visual Network Traffic Classification Using ~Multi-Dimensional Piecewise Polynomial Models"

''Congratulations to Joseph Benin on passing the ~PhD Preliminary Exam''

!__Recent Additions__
*New Undergraduate Research section added
*The lab welcomes new ~PhD student Joseph Benin

!__Past Events__

''[[Michael  Nowatkowski]] accepted at ~AdHocNets 2009!''
"Cooperative Certificate Revocation List Distribution Methods in ~VANETs" 
~AdHocNets Niagara Falls, Ontario, Canada: ICST, 2009. 

''[[Kevin Fairbanks]] accepted at the COMPSAC 2009 1st IEEE International Workshop on Computer Forensics in Software Engineering (CFSE 2009)!''
"A Method for Historical Ext3 Inode to Filename Translation on Honeypots"
COMPSAC 2009. CFSE 2009. Seattle, WA.
!__Overview__
It has been a busy quarter here in Atlanta. We participated in the University of California - Santa Barbara (UCSB) "Capture the Flag" Exercise held in December. We used ~Snort-Inline as a defensive measure. One of our teams placed third after two UCSB teams. It was a worthwhile experience.

Our focus here continues to be the use of a Honeynet to secure the campus network in addition to collecting rootkit research.
!__Current Setup__
GEN II Honeynet running a variety of ~OSs of interest. We continue to use live ~OSs as opposed to ~VMware or ~HoneyD.
!__Malicious Activity__
Detected 59 compromised Microsoft computers within the campus network that attempted to connect to the Honeynet. Network Administrators responsible for these machines were contacted.

On 1 NOV 2003 a Honeynet machine running ~MS2K was compromised on campus by another Georgia Tech Machine via an RPC exploit. This compromised machine was then set up as an IRC bot. Follow-on investigation revealed that 26 campus computers were compromised in a similar fashion and were participating in this same IRC. A report on this incident prepared by Tim Jackson, a Georgia Tech College of Computing undergrad, is available on the web site for review.

On 2 DEC 2003 the Honeynet detected an off campus machine targeting tcp port 593 on the Honeynet with a MS RPC exploit. We could not find any reverence to this exploit. Exploit code was turned over to campus network security personnel for analysis. 
!__1.0 Honeynet Deployments__
!!1.1 Current technologies deployed.
We are running a GEN II Honeynet with a variety of ~OSs of interest. We continue to use live ~OSs instead of ~VMware or ~HoneyD. Here is the architecture of our current setup:

[img[images/arch.gif]]

We are using the Honeywall CD configuration and we conduct all monitoring of the honeynet on an analysis box that is separate from the Honeywall (bridge) machine. We continue to deploy a Darknet within our Honeynet. Our focus continues to be the use of the Honeynet to help secure the campus network. We have also expanded our focus to develop visualization tools in order to more efficiently and thoroughly analyze the data we are collecting.
!!1.2 Lessons learned from the technology, what you like about it.
Honeynets can be incorporated into an organization's network security plan to help secure the network. We work closely with Georgia Tech's Office of Information Technology to help secure the campus network. Activity seen on the honeynet can be used to index into other Intrusion Detection Systems that are deployed on campus.

We have also found honeynets to be very versatile. We have deployed various honeypots on our honeynet with ease. Further, we have conducted a range of research topics that use the honeynet data.
!!1.3 Lessons learned from the technology, what is lacking, what you would like to see improved.
*The core collection and deployment technology is reasonably mature.
*Lacking a comprehensive data analysis framework. Work toward this end is underway, but it will take time before it matures.
*Lacking a honeypot inventory system. It would be nice to more easily keep track of exactly what honeypots are running over time. For example, a useful tool that could be built is a system snapshot tool. Running this tool on a newly installed honeypot would automatically generate a report containing the operating system, patch level, installed applications, etc and send this report to the honeywall.
!__2.0 Findings__
!!2.1 Number and type of systems compromised during six month period.
During this period we have deployed secured machines which have not been compromised. By secured, we mean patched with the latest updates.
!!2.2 Highlight any unique findings, attacks, tools, or methods.
We are currently using our darknet to conduct research into botnet traffic. This significantly increases the amount of traffic on the network, but is assisting one of our ~PhD. students in conducting botnet research.

We had 251 unique machines on the Georgia Tech campus that attempted to connect to the Honeynet between September 15, 2004 and March 23, 2005. (These machines are assumed to be compromised or in use by a malicious person.)

!!2.3 Any trends seen in the past six months.
*We have noticed an increase in the number of pop-up spam messages targeting Microsoft Windows based systems logged by the honeynet.
*We have deployed secured systems during this term and none of these systems have been compromised.
*Continue to see lots of lingering worm traffic.
!!2.4 Document data analysis tools and methods being used.
*We currently use perl scripts as our primary method of generating daily reports (sent to Office of Information Technology) of Georgia Tech Hosts that have attempted to connect to the honeynet. The perl scripts are also used for summary statistics. We use use ethereal with various filters in order to investigate details in our logs.
*We have developed two visualization tools that we are currently using to help monitor the honeynet.
*We have continued development of several perl scripts to parse through the logs and generate plots of the data. (PCAP data is parsed and the extracted results are stored in an XML file. Plots are then generated from the XML data.)
*We have recently ported the NETI@home http://www.neti.gatech.edu code to run on previously logged pcap files. We now have the ability to generate NETI@home statistics for our honeynet and plot graphs based on these numbers.
!!2.5 For data analysis what tools work well, and what still needs to be developed.
Our visualization tool (still in an alpha stage) is extremely useful for quickly identifying network traffic that needs a more detailed analysis. We have just begun work on the visualization tool, but there appears to be great potential in building a tool that enables the analyst to more efficiently analyze the data.

Many of the analysis tools we have used in the past are focused on packet based analysis. We have recently found that flow based analysis can be a much better approach. The NETI@home code does a good job of dividing the packet stream into flows. Ethereal has an excellent understanding of protocols and is good if you know exactly which packets to investigate but has limited ability to divide the packets into flows.

!__3.0 Misc. Activities__
!!3.1 Presenting at conferences
*Julian Grizzard presented a presentation on "Analyzing a Stack of Needles on the Georgia Tech Honeynet" for the CERCS Fall 2004 workshop.
*Julian Grizzard presented a presentation on "Honeynet Research at Georgia Tech" for the GTISC Security Seminar.
*Julian Grizzard presented a presentation on "Ethical Hacking" for an ~OIT-IS internal teaching course.
*Greg Conti presented "Countering Denial of Information Attacks with Network Visualization" at Interz0ne4 (http://www.interz0ne.com).
!!3.2 Developing, testing or releasing code
We have developed several perl scripts for data analysis. We have recently ported the NETI@home code to run on pcap files in order to conduct flow based analysis.

We continue to observe the honeynet data using a real-time network security visualization monitor being developed and refined by one of our ~PhD students, Greg Conti. The following diagram shows several screenshots from this tool.

[img[images/ip2port.gif]]

We also created a novel network traffic visualization system capable of both real-time and forensic data analysis. Combining the strength of link analysis using parallel coordinate plots with the time-sequence animation of scatter plots, we examine a 2D and 3D coordinated display that provides insight into both legitimate and malicious network activity. Our results indicate that analysts can rapidly examine network traffic and detect anomalies far more quickly than with manual tools. A snapshot of the tool showing compromise traffic on our honeynet is shown below.

[img[images/vistool.gif]]

!!3.3 Publication of papers
The following papers have been submitted to the IEEE Information Assurance Workshop at West Point, New York:
*"~Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization" by Sven Krasser, Gregory Conti, Julian Grizzard, Jeff Gribschaw, and Henry Owen.
*"Flow Based Observations from NETI@home and Honeynet Data" by Julian Grizzard, Charles R. Simpson, Jr., Sven Krasser, George Riley, and Henry Owen.
The following paper has been submitted to the Symposium on Usable Privacy and Security (SOUPS); July 2005:
*"Attacking Information Visualization System Usability: Overloading and Deceiving the Human;" by G. Conti, M. Ahamad and J. Stasko.
The following papers were published in the journals indicated:
*J. Levine, J. Grizzard, and H. Owen, "Using honeynets to protect large enterprise networks," in IEEE Security & Privacy, November/December 2004, pp. 73-75, vol. 2, no. 6.
*S. Krasser, J. Grizzard, H. Owen, and J. Levine, "The use of honeynets to increase computer network security and user awareness," in Journal of Security Education, pp. 23-37, vol. 1, no. 2/3.
!!3.4 Involvement in ~SotM challenges.
We have not participated.
!!3.5 Other
We have developed a honeynet continuity file for the Georgia Tech Honeynet. One of the challenges of a student run honeynet at an academic institute is that students (graduate and undergraduate) arrive and depart on a regular basis. For example, John Levine, who created the Georgia Tech Honeynet, graduated with a ~PhD in May 2004 and is now an instructor at West Point, and Julian Grizzard, who is currently in charge of the honeynet, expects to graduate with his ~PhD in 2005. We developed the continuity file to streamline the process of teaching new people how to run and monitor the honeynet, as well as serve as a source for lessons learned. The file includes configuration information, points of contact (internal and external), web sites of interest, logging information, and policy guidelines for monitoring our honeynet. We recommend a continuity file for any organization, but especially for academic institutes.

!__4.0 Organizational__
!!4.1 Changes in your structure of your organization.
No changes.
!__5.0 Lessons Learned__
!!5.1 What positive things can you share with the community, so they can replicate your success.
The Georgia Tech Honeynet is a great tool for helping to secure the campus network. Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is likely from a compromised computer, a malicious user, or the campus IDS. We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.

Honeynets are also a great source of real-world data. Honeynets can be used to help educate and spread awareness to today's real-world security threats. We have used the results from our honeynet in many presentations in order to help spread security awareness to the community.
!!5.2 What mistakes can you share with the community, so they don't make the same mistakes.
Parsing through large data sets can be very time consuming. We need better tools that the community can use to make this analysis easier and more efficient. Do not underestimate how much time data analysis can take.

One of the goals we have had for our honeynet is to collect new exploits. After running a honeynet for nearly three years, we have seen very few new exploits. It is common for new honeynet administrators to have the goal of capturing new exploits. Although this may be one value of a honeynet, we have found that there are many other benefits that provide much more value such as using it as an Intrusion Detection System. We recommend that anyone considering running a honeynet should look at the different uses of a honeynet to determine their main purpose in running a honeynet.

!__6.0 Goals__
!!6.1 Plans/Goals for next six months.
*We have begun recent work on studying botnets. We intend to further pursue this work, increasing our collaboration with the German Honeypot Project.
*We intend to expand on our visualization work in order to add to the collection of tools used in analyzing honeynet data.
*We have started research in comparing regular end user traffic, NETI@home users, to malicious traffic, honeypots. We intend to continue forward with this research.
*We will continue to deploy more honeypots over the next six months in order to capture more compromises. We also have several research ideas that we will integrate with these honeypots.
!__1. Deployments__
!!''1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related.''
We are running a GEN II Honeynet with a variety of ~OSs of interest. We are using the honeywall "roo" CDROM and conduct all monitoring of the honeynet on an analysis box that is separate from the honeywall (bridge) machine. We continue to maintain a Darknet within our honeynet and a majority of our real machines are high-interaction honeypots, although we are starting to experiment with low-interaction honeypots (nepenthes). We have one linux (~RH8) and two Win XP (w & w/o ~SP2) boxes.

Our focus is on using the honeynet as an intrusion detection tool to help secure the campus network and to promote visualization research. We aim to make management of the honeynet more scalable by providing real-time visualization1, daily report generation2, trend analysis3, and attack analysis tools4. Additionally, we have worked on a network capture (pcap) anonymization script5 that help the administrator to share data to promote further research.

   1. ~HoneyTrap, Rumint, ~SecVis, ~VisualFirewall
   2. ~HoneyReport, ~TrojanSSH
   3. FAD: Flow Analysis Database
   4. Rumint, ~SecVis
   5. ~PacketScrubber

!!1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected.
During this last quarter, we observed only one successful compromised. Earlier this year (say about mid February) we were SSH brute forced. The attacker installed a simple spam mailing script and tested it a couple of times before the compromised was detected and cut. The details of this attack will be release to the public at a later date.
!__2.0 Findings__
!!2.1 Highlight any unique findings, attacks, tools, or methods.
!!2.2 Any trends seen in the past six months.
Our most notable finding is that there has been a stark decrease in on-campus activity seen on the honeypots. We believe this trend (we are still investigating) is due to the partitioning our campus network with separate firewall, effectively separating us from the dorm networks and removing the more interesting attacks. Also, our Office of Information Technology (OIT) in alliance with our Residential Network Office (~ResNet) as deployed a START system that scans new machines as they register on the network before they are allowed normal access. OIT also actively scans the networks for known vulnerabilities.

We are also trying to perform long-term analysis, but haven't progressed far in our research yet. Here are some initial graphs to show flow counts over time. 
[img[images/http.png]]
[img[images/smb.png]]
[img[images/ssh.png]]
[img[images/WindowMessenger.png]]

!!2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed?
We are using our own custom tools for data analysis: ~HoneyReport, ~SecVis, Rumint, ~TrojanSSH, FAD, and ~HoneyTrap. We will describe them in Section 4.

!__3.0 Lessons Learned__
!!3.1 What new positive things can you share with the community, so they can replicate your success?
We are working on new reporting and visualization techniques that will aid in maintaining a honeynet, responding to attacks, and analyzing trends in data. We are also working on packet anonymization.
!!3.2 What new mistakes can you share with the community, so they don't make the same mistakes?
We have repeated this often, but documentation of the current state of our honeynet is constantly stale and is hard to keep updated. We want to think of ways that honeynet deployment is almost self-documenting.
!!3.3 Are there any research ideas you would like to see developed?
We are interested in continuing our research in reporting and visualization and we want to consider practices that are self-documenting, meaning that in the very act of doing our tasks, current documentation is kept.
!__4.0 New Tools__
!!4.1 What new tools or technology are you working on?
Data analysis is our primary focus. We are working on several projects to enable more real-time monitoring and daily report generation. Additionally, we are also developing a pcap file anonymization tool.

Our daily reporting tool is called ~HoneyReport. Our tool duplicates much of the functionality of ~HoneySnap, developed by the UK Honeynet Project, but has some additional functionality that we find useful. We believe that everyone's reporting needs are different and that making a generic tool that everyone would like may be difficult. With that in mind, our tool generates reports that are useful to our organization and may be useful to other organizations.

~HoneyReport parses pcap files to generate flow records and captures traffic from various protocols. The flow records are saved to a database for our FAD analysis later. Statistics are then run on the flow data to generate reports on top attackers, biggest flows, port hit counts, and other interesting data. The reports are generated as HTML documents and stored on our data processing box. The HTML is then rendered as a text document using "links", is PGP encrypted, and then sent via email to the honeynet administrators. There are two other reports with different information that is sent to Georgia Tech's Office of Information Technology (OIT) for doing campus intrusion detection. An example ~HoneyReport report will be provided with this status report.

We have written before about Greg Conti, Julian Grizzard, and Sven Krasser's work on Rumint and ~SecVis. These tools provide a real-time or forensic analysis visualization using parallel coordinate plots. A screenshot of ~SecVis is provided below. 

[img[images/secvis.jpg]]

We have been interested in getting information about keystrokes and logins via SSH. We originally tried to use the sebek client but found it was logging too much information. Instead, our solution was to simply trojan our version of SSH to drop all the password attempts and record each keystroke. Each login attempt will send the attacker IP, attempted username, and attempted password via a UDP packet sent to an unrouteable address (so it doesn't leave the honeynet). The honeywall can then capture that information and present it in the ~HoneyReport report. So far we have collected a few thousand login username/password pairs including some interesting ones like: harrypotter/harrypotter. Hopefully we can use this information later to discuss trends in password attempts (e.g., longer password attempts, more dictionary words). Successful logins generate a different record type in the UDP packet sent to alert the honeywall of a successful login (for fast reporting and reaction). A third packet type is used to send keystrokes. At a later date, we will present how to edit sshd to drop this information.

We are logging flows into our Flow Analysis Database (FAD) for performing long-term trend analysis. This database was used to generate the four flow count charts above. Currently there are about 3 1/2 million flow records in the database covering approximately the last 3 years. We are currently redesigning this tool to provide a richer repository of information and keep much more metadata about attackers such as traceroute, ping times, whois records, and country of origin. We will use this to generate week, monthly, and yearly reports of honeynet activity. 

[img[images/CountryCounts_200602.png]]

We have just started research in a new real-time, passive visualization interface called ~HoneyTrap. This interface is meant to remain on the screen of a computer in the corner or on a secondary monitor. The administrator would simply glance at it periodically to see if new activity is spotted on the honeynet. This is a flash application that polls a web page that generates flash consumable data structures from an alarm database. The flash application continues to poll the webserver every five seconds to check for new alarms. We are working on a write up for this tool and will deliver a pre-publish copy to the Alliance. The rest of you must wait until we've published.

[img[images/HT_3.1_02.png]]

Our last tool is ~PacketScrubber, a pcap header and payload anonymization script. This script parses packets, maps the IP addresses using multimap techniques that somewhat prefix preserving, updates checksums, maps payload-embedded IP addresses, removes hostnames and netbios share names, and offsets mac addresses. In trying to share this tool with other organizations, we have found, just like with reporting, everyone's needs are different. We feel that we provide a lot of novel functionality that could easily be modified to suit different organizations' needs. We are working hard to provide a publicly releasable version of this tool.

!!4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
We would like to release ~HoneyReport, ~HoneyTrap, and ~PacketScrubber and receive feature requests for future enhancement. We will enlist several undergraduate students to join us and help us enhance these tools and motivate them to future research.

We have learned that packet anonymization is a daunting task, but we are able to do a good 95% approach with our current methods. We would like to find developers to write ~NetPacket modules (in perl) to dissect more packet types. 
! __5.0 Papers and Presentations __
!!5.1 Are you working any papers to be published, such as KYE or academic papers?
We are currently in the first phase of writing a paper on ~HoneyTrap and hope to submit it to ~VizSec 2006.
!!5.2 Are you looking for any data or people to help with your papers?
We would be happy to discuss ideas for possible publications.
!!5.3 Where did you publish/present honeypot-related material?
Julian Grizzard presented "Visualizations for Honeynet Data Analysis" at the Department of Energy Honeynet Workshop in March.
Published paper:
G. Conti, K. Abdullah, J. Grizzard, J. Stasko, J. Copeland, and M. Ahamad, and C. Lee, "Countering Security Analyst and Network Administrator Overload Through Alert and Packet Visualization," IEEE Computer Graphics & Applications, March/April 2006, pp. 60-70, vol. 26, no. 2. 
!__6.0 Organizational__
!!6.1 Changes in the structure of your organization.
Christopher Lee is transitioning to lead of the Georgia Tech ~HoneyNet and will be responsible for daily maintenance, status reports (including this one), communicating with other alliance members, recruiting researchers, and sharing results. Julian Grizzard will graduate in May.
!!6.2 Your feedback on Alliance activities.
We are excited to see the new ways that we can communicate with other Alliance members, especially being able to communicate with new honeynet groups as to expand our base of deployed honeynets. The internal website, SILC channel, mailing lists, and IRC channels are excellent for contacting other members, but it would be helpful to have more chatrooms for various purposes (e.g., not just Roo development). We would also like to see an emphasis on detecting and understanding botnets and phishing. The German Honeynet Project's work on the topic has been quite promising.
!!6.3 Any suggestions for improving the Alliance?
We see a lot of good improvements with internal, mailing lists, and IRC. We would like a general topic SILC channel along with several other specific topics such as analysis, visualization, and reporting.
!__7.0 Goals__
!!7.1 Which of your goals did you meet for the last six months?
*We developed an anonymization tool: ~PacketScrubber
*Developed ~HoneyReport, ~HoneyTrap, ~TrojanSSH, and FAD
*Successfully captured an SSH break in and spamming package
*Started generating new reports for OIT that they requested
!!7.2 Which of your goals did you not meet for the last six months?
*We did not release any tools that we developed since the last report.
!!7.3 Goals for the next six months
   1. Develop anonymization tools so that data can be publicly released
   2. Continue visualization work in real-time, daily, and long-term analysis
   3. Release tools: ~PacketScrubber, ~HoneyReport, and perhaps ~HoneyTrap
   4. Contribute to ~SotM
   5. Expand our low-interaction honeypot deployment
!__8.0 Misc. Activities__
!!8.1 Anything else not covered you would like to share.
!__Appendix A__
Example ~HoneyReport report. All data is representative.
<html>
<head>
  <meta content="text/html; charset=ISO-8859-1"
 http-equiv="content-type">
  <title></title>
</head>
<body style="color: rgb(0, 0, 0);" alink="#ee0000"
 link="#0000ee" vlink="#551a8b">
<br>
<div ="">
<div
 style="border: thin solid black; background: rgb(255, 255, 204) none repeat scroll 0%; -moz-background-clip: initial; -moz-background-origin: initial; -moz-background-inline-policy: initial;">
Honeynet Report for 20060411<br>Generated on 04/12/2006<br>Overall Throughput<br>In: 43537 packets, 89163776 bytes<br>Out: 37403 packets, 76601344 bytes<br>Flows inbound: 5021, Flows outbound: 0<br>data/20060411/pcap.20060411.1144713662 (20835456)<br>eb9b69993d9bf3ba7b5d65743229df79<br>Outbound Flows<br>Id Start Time Src IP Dst IP Src Port Dst Port Pkts Bytes<br>Packets vs. Time<br>^ | 50,000<br>* | 49,000<br>* | 48,000<br>* | 47,000<br>* | 46,000<br>* | 45,000<br>* | 44,000<br>* | 43,000<br>* | 42,000<br>* | 41,000<br>* | 40,000<br>* | 39,000<br>* | 38,000<br>* | 37,000<br>* | 36,000<br>* | 35,000<br>* | 34,000<br>* | 33,000<br>* | 32,000<br>* | 31,000<br>* | 30,000<br>* | 29,000<br>* | 28,000<br>* | 27,000<br>* | 26,000<br>* | 25,000<br>* | 24,000<br>* | 23,000<br>* | 22,000<br>* | 21,000<br>* | 20,000<br>* | 19,000<br>* | 18,000<br>* | 17,000<br>* | 16,000<br>* | 15,000<br>* | 14,000<br>* | 13,000<br>* | 12,000<br>* | 11,000<br>* | 10,000<br>* | 9,000<br>** | 8,000<br>** | 7,000<br>* ** | 6,000<br>* ** | 5,000<br>* ** | 4,000<br>* ** | 3,000<br>* ** *| 2,000<br>* ** *| 1,000<br>***** ** *** ************* *** *****************| 0,000<br>------------------------------------------------+<br>000000000000000000001111111111111111111122222222<br>001122334455667788990011223344556677889900112233<br>030303030303030303030303030303030303030303030303<br>000000000000000000000000000000000000000000000000<br>Top 10 Flows<br>Source IP Src Port Destination IP Dst Port Packets Bytes<br>58.251.33.172 40738 100.100.100.39 22 49 100352<br>58.251.33.172 58260 100.100.100.33 22 48 98304<br>58.251.33.172 39313 100.100.100.33 22 48 98304<br>58.251.33.172 54085 100.100.100.33 22 48 98304<br>58.251.33.172 53318 100.100.100.39 22 48 98304<br>58.251.33.172 42196 100.100.100.39 22 48 98304<br>58.251.33.172 43757 100.100.100.33 22 48 98304<br>58.251.33.172 50125 100.100.100.19 22 47 96256<br>216.57.7.90 34041 100.100.100.13 22 45 92160<br>58.251.33.172 43101 100.100.100.14 22 44 90112<br>Managed IPs<br>Mananged IP Ports Date Hostname<br>Top Ten Offenders<br>Attacker IP Country Packets<br>58.251.33.172 - 69052<br>216.57.7.90 US 8355<br>140.247.94.201 US 600<br>210.103.124.7 KR 293<br>212.227.62.110 DE 290<br>204.16.208.114 - 268<br>80.168.22.243 GB 240<br>62.94.87.181 IT 178<br>125.188.163.49 - 160<br>67.90.90.10 US 157<br>204.16.208.75 - 154<br>204.16.208.106 - 141<br>Per Port Statistics<br>Proto Port Pkts Bytes<br>tcp 21 56 114688<br>tcp 22 77990 159723520<br>tcp 80 310 634880<br>tcp 113 124 253952<br>tcp 555 128 262144<br>tcp 697 79 161792<br>tcp 1021 122 249856<br>tcp 1532 114 233472<br>tcp 2100 138 282624<br>tcp 3128 2 4096<br>tcp 3306 157 321536<br>tcp 3372 94 192512<br>tcp 5900 278 569344<br>tcp 8080 4 8192<br>tcp 10000 240 491520<br>tcp 23241 112 229376<br>udp 2 7 14336<br>udp 1026 799 1636352<br>udp 1027 159 325632<br>udp 1030 4 8192<br>udp 1031 2 4096<br>udp 1032 2 4096<br>udp 1033 9 18432<br>udp 4321 3 6144<br>udp 4329 7 14336<br>HTTP Traffic URIs<br>Client IP Destination IP URL<br>60.208.212.1 100.100.100.43 GET http://hacker.org.ru/prxjdg.php<br>60.208.217.95 100.100.100.43 GET http://hacker.org.ru/prxjdg.php<br>60.208.219.17 100.100.100.43 GET http://hacker.org.ru/prxjdg.php<br>60.216.176.56 100.100.100.43 GET http://hacker.org.ru/prxjdg.php<br>62.94.87.181 100.100.100.43 HEAD /<br>218.56.240.198 100.100.100.43 GET http://hacker.org.ru/prxjdg.php<br>218.56.243.116 100.100.100.43 GET http://hacker.org.ru/prxjdg.php<br>221.196.242.108 100.100.100.43 GET<br>http://www.proxygrade.com/proxygrade.php?hash=7D86E0933DFFEAF682CF812B<br>005099B04EBEAD5324EC<br>GET<br>http://www.proxygrade.com/proxygrade.php?hash=7D86E0933DFFEAF682CF812B<br>005099B04EBEAD5324EC<br>FTP Sessions<br>1144718479.532958: 84.173.189.8:2605 -&gt; 100.100.100.4:21<br>1144718479.543423: 84.173.189.8:2606 -&gt; 100.100.100.6:21<br>1144718479.545087: 84.173.189.8:2607 -&gt; 100.100.100.9:21<br>1144718479.546555: 84.173.189.8:2608 -&gt; 100.100.100.11:21<br>1144718479.548001: 84.173.189.8:2609 -&gt; 100.100.100.17:21<br>1144718479.548956: 84.173.189.8:2610 -&gt; 100.100.100.18:21<br>1144718479.550266: 84.173.189.8:2611 -&gt; 100.100.100.19:21<br>1144718479.551426: 84.173.189.8:2612 -&gt; 100.100.100.27:21<br>1144718479.552802: 84.173.189.8:2613 -&gt; 100.100.100.28:21<br>1144718479.553749: 84.173.189.8:2614 -&gt; 100.100.100.31:21<br>1144718479.555584: 84.173.189.8:2615 -&gt; 100.100.100.32:21<br>1144718479.556792: 84.173.189.8:2616 -&gt; 100.100.100.37:21<br>1144718479.558209: 84.173.189.8:2617 -&gt; 100.100.100.38:21<br>1144718479.559980: 84.173.189.8:2618 -&gt; 100.100.100.39:21<br>Trojaned SSH<br>100.100.100.43<br>root:root<br>root:root123<br>root:password<br>root:!@#$%^&amp;*(<br>root:123456<br>root:root1234<br>root:antonio<br>root:root12345JJJJ<br>root:12345&Atilde;&sup1;&Atilde;&sup1;&Atilde;&sup1;&Atilde;&sup1;&Atilde;&sup1;&Atilde;&sup1;&Atilde;&sup1;&Atilde;&sup1;<br>news:news<br>news:news123<br>news:123456<br>news:12345""""""""<br>john:john<br>john:john123<br>john:12345--------<br>
</div>
<div id="msiehack2"></div>
</div>
</body>
</html>
!__Data Link Layer Security__
Nsa is investigating architectural approaches to secure the data link layer (Layer 2) in wired local area networks. The main objectives of this research are to address the weak link between Layer 2 and upper layers and accommodate future network architectures.
!__Traffic Engineering/Quality of Service__
The objective of this research is to develop a multipath traffic engineering framework to deliver more equal shares of bandwidth to best-effort users as compared to traditionalshortest path algorithm. In a multi-service capable network, some portion of the bandwidth is reserved for guaranteed services and the leftover portion is dedicated to best-effort service. This research examines a problem of traffic engineering for the remaining network bandwidth which is utilized by best-effort traffic where demands are not known a priori. This framework will result in making the limited available best-effort traffic bandwidth more equitably shared by the best-effort flows over a wide range of demands. 
!__Re-establishing Trust in Compromised Hosts__
We are investigating approaches to automatically recover from compromises without the need to completely reinstall the system. An [[overview poster|self-healing-systems.pdf]] of this research is available. This research topic uses the [[Fiasco L4 microkernel|http://os.inf.tu-dresden.de/fiasco/]] as a secure foundation of integrity. You can find local L4 notes and more on the [[spine]] webpage.
!__Large-Scale Network Simulation for Security and Survivability Evaluation__
In a project conducted jointly with [[MANIACS|http://www.ece.gatech.edu/research/labs/MANIACS/]], NSA is researching on large-scale simulations of critical Internet infrastructure including DNS and BGP using the [[Georgia Tech Network Simulator|http://www.ece.gatech.edu/research/labs/MANIACS/GTNetS/]].
!__Network Security Visualization__
NSA is investigating novel approaches to visualize network security data for intrusion detection and forensic analysis.
!Faculty
| [img[images/people/henry.jpg]]| [[Dr. Henry Owen|http://users.ece.gatech.edu/%7Eowen/]] - Professor |

!Current Students
| [img[images/people/kevin2.jpg]] | [[Kevin Fairbanks]] |
| [img[images/people/michael.jpg]] | [[Michael  Nowatkowski]] |
| [img[images/people/joseph_benin.jpg]] | Joseph Benin |

!Alumni
| [img[images/people/yuxi.jpg]] | [[Yu-Xi Lim]], Ph.D. |
| [img[images/people/ying.jpg]] | [[Ying Xia]], Ph.D. |
| [img[images/people/hayriye.jpg]] | [[Hayriye Altunbasak]], Ph.D. |
| [img[images/people/julian.jpg]] | [[Julian Grizzard]], Ph.D. [[Website|http://www.juliangrizzard.org]]|
| [img[images/people/jerapong.jpg]] | Jerapong Rojanarowan, Ph.D |
| [img[images/people/sven.jpg]] | [[Sven Krasser]], Ph.D. |
| [img[images/people/jeff.jpg]] | [[Jeff Gribschaw]] |
<html>
<head></head>
<body>
<h1>Journal Publications</h1>
<ul>

<li>Ying Xia, Kevin Fairbanks, Henry Owen. &quot; <a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">A Program Behavior
Matching Architecture for Probabilistic File System Forensics.</a>,&quot; accepted <i> ACM SIGOPS Operating Systems Review special issue on Computer Forensics.</i> Vol. 42, Iss. 3.  April 2008, pp 4-13.</li> 

<li>J. Levine, J. Grizzard, and H.Owen, &quot;<a href="papers/2006_levine_s&p.pdf">Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection</a>,&quot; in <i>IEEE Security & Privacy</i>, January/February 2006, pp. 24-32, vol. 4, no. 1. (<i>featured article</i>)</li>

<li>D. Barlow, V. Vassiliou, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, &quot;Traffic engineering based on local states in Internet protocol-based radio access networks,&quot; accepted <i>IEEE Journal of Communications and Networks</i>.</li>

<li>J. Levine, J. Grizzard, and H. Owen, &quot;<a href="papers/2004_levine_s&p.pdf">Using honeynets to protect large enterprise networks</a>,&quot; in <i>IEEE Security & Privacy</i>, November/December 2004, pp. 73-75, vol. 2, no. 6.</li>

<li>S. Krasser, J. Grizzard, H. Owen, and J. Levine, &quot;<a href="papers/use_of_honeynets.pdf">The use of honeynets to increase computer network security and user awareness</a>,&quot; in <i>Journal of Security Education</i>, pp. 23-37, vol. 1, no. 2/3.</li>

</ul>
<p>
<a 
href="http://users.ece.gatech.edu/~owen/Research/Journal%20Publications/journal_publications.htm">[more journal publications]</a>
</p>

<h1>Refereed Conference Publications</h1>
<ul>

<li>
Michael Nowatkowski and Henry Owen III, "Certificate Revocation List Distribution in VANETs Using Most Pieces Broadcast," Accepted, IEEE SoutheastCon 2010, Charlotte-Concord, NC.
</li>

<li>
Micheal Nowatkowski and Henry Owen III, "The Effects of Limited Lifetime Pseudonyms on Certificate Revocation List Size in VANETS," Accepted, IEEE SoutheastCon 2010, Charlotte-Concord, NC.
</li>

<li>
Sean Sanders, Kevin Fairbanks, Sahitya Jampana, Henry Owen III, "Visual Network Traffic Classification Using Multi-Dimensional Piecewise Polynomial Models, " Accepted, IEEE SoutheastCon 2010, Charlotte-Concord, NC.
</li>

<li>
M. Nowatkowski, J. Wolfgang, C. McManus, and H. Owen III, "<a href="papers/Nowatkowski_CooperativeMethodsFinal.pdf">Cooperative Certificate Revocation List Distribution Methods in VANETs</a>," in AdHocNets Niagara Falls, Ontario, Canada: ICST, 2009.
</li>

<li>
Kevin D. Fairbanks, Ying H. Xia, Henry L. Owen III, "<a href="papers/Fairbanks_COMPSAC_CFSE_2009.pdf">A Method for Historical Ext3 Inode to Filename Translation on Honeypots</a>," Computer Software and Applications Conference, Annual International, vol. 2, pp. 392-397, 2009 33rd Annual IEEE International Computer Software and Applications Conference, 2009.
</li>

<li>
Kevin Fairbanks, Kishore Atreya, Henry Owen.  "<a href="papers/Fairbanks_IEEE_SouthEastCon_2009.pdf">BlackBerry IPD Parsing for Open Source Forensics.</a>" IEEE SouthEastCon 2009.  Atlanta, GA.  IEEE Southeastcon, 2009.  Atlanta, GA.  March 2009, pp. 195 - 199.
</li>

<li>
Ying Xia, Kevin Fairbanks, Henry Owen. "<a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">Visual Analysis of Program Flow Data with  Data Propagation.</a>" Proceedings of the 5th international workshop on Visualization for Computer Security.   Cambridge, MA.  September 2008, pp. 26-35.
</li>

<li>
Kevin D. Fairbanks, Christopher P. Lee, Ying H. Xia, Henry L. Owen III. "<a href ="papers/Fairbanks_IAW07.pdf">TimeKeeper: A Metadata Archiving Method for Honeypot Forensics.</a>” 8th Annual IEEE SMC Information Assurance Workshop. West Point, NY. 20-22 June 2007
</li>

<li>Xia, Y., Fairbanks, K., Owen, H. "<a href = "papers/blackbox.pdf">Establishing trust in black-box programs.</a>" SoutheastCon, 2007. IEEE, Vol., Iss., March 2007, pp. 462-465.</li>

<li>Yu-Xi Lim and Henry Owen, "<a href="papers/secureservices.pdf">Secure wireless location services</a>," in Proceedings of IEEE SoutheastCon 2007, 22-25 Mar, 2007.</li>

<li>J. Grizzard and H. Owen, &quot;<a href="papers/2005_grizzard_iwcip.pdf">On a µ-kernel Based System Architecture Enabling Recovery from Rootkits</a>&quot;, accepted First IEEE International Workshop on Critical Infrastructure Protection, 2005.</li>

<li>J. Grizzard, C. Simpson, Jr., S. Krasser, H. Owen, and G. Riley, &quot;<a href="papers/2005_grizzard_iaw.pdf">Flow Based Observations from NETI@home and Honeynet Data</a>,&quot; in <i>Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop</i>, June 2005, pp. 244-251.</li>

<li>S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, &quot;<a href="papers/2005_krasser_iaw.pdf">Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization</a>,&quot; in <i>Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop</i>, June 2005, pp. 42-49.
<li>S. Krasser, H. Owen, J. Sokol, H.-P. Huth, and J. Grimminger, &quot;Adaptive per-flow traffic engineering based on probe packet measurements,&quot; accepted <i>CNSR 2005</i>.</li>
<li>H. Altunbasak, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, &quot;Securing layer 2 in local area networks,&quot; accepted <i>IEEE ICN 2005</i>.</li>

<li>H. Altunbasak, S. Krasser, H. Owen, J. Sokol, J. Grimminger, and H.-P. Huth, &quot;Addressing the weak link between layer 2 and layer 3 in the Internet architecture,&quot; in <i>Proc. IEEE International Conference on Local Computer Networks</i>, Tampa, Florida, USA, pp. 417-418, November 2004.</li>
<li>J. Grizzard, J. Levine, and H. Owen, &quot;<a href="papers/2004_grizzard_esorics.pdf">Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table</a>,&quot; in <i>Proc. 9th European Symposium on Research in Computer Security</i>, September 2004, pp. 369-384.</li>

<li>D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen, &quot;<a href="papers/2004_dagon_raid.pdf">Honeystat: local worm detection using honeypots</a>,&quot; in <i>7th International Symposium on Recent Advances in Intrusion Detection</i>, Sophia Antipolis, France, September 2004.</li>

<li>J. Grizzard, S. Krasser, H. Owen, G. Conti, and E. Dodson, &quot;<a href="http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/Grizzard_NCA2004.pdf">Towards an approach for automatically repairing compromised network systems</a>,&quot; in <i>Proc. 3rd IEEE International Symposium on Network Computing and Applications</i>, Cambridge, Massachusetts, USA, pp. 389-392, August 2004.</li>
<li>J. Grizzard, E. Dodson, G. Conti, J. Levine, and H. Owen, &quot;<a href="grizzard_iaw2004.pdf">Towards a trusted immutable kernel extension (TIKE) for selfhealing systems: a virtual machine approach</a>,&quot; in <i>Proc. 5th IEEE Information Assurance Workshop</i>, June 2004, pp. 444-446.</li>

<li>J. Levine, J. Grizzard, and H. Owen, &quot;A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table,&quot; in <i>Proc. of Second IEEE International Information Assurance Workshop</i>, April 2004, pp. 107-125.</li>
<li>S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, &quot;<a href="http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/krasser-secon04-c.pdf">Online traffic engineering and connection admission control based on path queue states</a>,&quot; in <i>Proc. IEEE SoutheastCon 2004</i>, Greensboro, North Carolina, USA, pp. 255-260, March 2004.</li>
<li>T. Jackson, J. Levine, J. Grizzard, and H. Owen, &quot;An investigation of a compromised host on a honeynet begin used to increase the security of a large enterprise network,&quot; in <i>Proc. 5th IEEE Information Assurance Workshop</i>, March 2004, pp. 9-14.</li>

<li>J. Levine, J. Grizzard, and H. Owen, &quot;Application of a methodology to characterize rootkits retrieved from honeynets,&quot; in <i>Proc. 5th IEEE Information Assurance Workshop</i>, March 2004, pp. 15-21.</li>
<li>S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, &quot;<a href="http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/sven_globecom2003.pdf">Probing available bandwidth in radio access networks</a>,&quot; in <i>Proc. IEEE Global Communications Conference 2003</i>, San Francisco, California, USA, vol. 6, pp. 3437-3441, December 2003.</li>
<li>S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, &quot;<a href="http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/Krasser_ICON2003.pdf">Distributed bandwidth reservation by probing for available bandwidth</a>,&quot; in <i>Proc. IEEE International Conference on Networks 2003</i>, Sydney, Australia, pp. 443-448, September 2003.</li>

<li>S. Krasser, H. Owen, D. Barlow, J. Grimminger, H.-P. Huth, and J. Sokol, &quot;<a href="http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/lsfsb_ICT2003.pdf">Evaluation of the local state fair share bandwidth algorithm</a>,&quot; in <i>Proc. International Conference on Telecommunications 2003</i>, Papeete, French Polynesia, vol. 2, pp. 911-916, February 2003.</li>
</ul>
<a 
href="http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/conference_publications.htm">[more 
conference publications]</a>
</p>
<div id="msiehack2"></div>
</div>
</div>
</div>
</body>

</html>
!__Security Research__
!!The Georgia Tech Honeynet
NSA runs a honeynet in cooperation with the [[Honeynet Research Alliance|http://www.honeynet.org/alliance/index.html]]. More information can be found on our [[project webpage|The Georgia Tech Honeynet]].
!!Establishing Trust in black-box programs
Encrypted binaries are increasingly being used as deterrence for software piracy as well as vulnerability exploitation. The application of encrypted programs, however, leads to  increased security concerns, as users are unable to identify malicious behavior by monitoring the encrypted executables. This paper proposes a method to monitor encrypted programs that assures users that the black-box program on their system is not violating any security concerns. Our approach is to embed a system call monitoring tool into the operating system that monitors system call content for suspicious behavior or the lack thereof.

!__Forensics Research__
!![[TimeKeeper]]: A Metadata Archiving Method for Honeypot Forensics 
Internet attacks are becoming more advanced as the economy for cybercrime grows and the tools for evading detection become ubiquitous. To counter this threat, new detection and forensics tools are needed to capture these new techniques.  In this paper, we propose a method to extract and analyze a richer set of forensic information from the file system journal of honeypots in spite of anti-forensic tool use.  We show initial results of our journal monitoring prototype, ~TimeKeeper, of file system activities and argue that by detecting these events, we are able to capture previously unavailable forensic information.  This forensic information can then be used for system recovery, research on attack techniques, insight into attacker motives, and for criminal investigations.

!__Networking Research__
!!Secure wireless location services
Wireless Internet access is becoming increasingly pervasive, and likewise we increasingly expect to use this Internet access while "on the go." In such a scenario where both the service and the users are no longer constrained by simple physical boundaries, there needs to be a secure means of determining the location of the users and using this information for purposes such as security or other location-based services which add value to the network. This talk proposes an architecture for such a secure location service and evaluates its
feasibility and effectiveness and compares existing insecure architectures.



 You can also read more about  [[past research|Past Research Projects]].

[img[images/nsa_logo3.png]]
http://www.tiddlywiki.com/
.viewer pre, .viewer code {
	color:#040;
	font-family:'lucida console',monospace;
	border-style:none;
        line-height:1.2em;
}


.viewer pre {
	padding:1em;
	font-size:90%;
	background-color:#f8f8f8;
}


/* this sort of makes Shorten Tab Links unnecessary */
/* div#sidebar { overflow:hidden;white-space: nowrap; } */

div#mainmenu hr {margin:0px;padding:0px;padding-top:10px;
  border-style:none;
  border-width:1px;
  border-color:#ccc;
  border-bottom-style:solid;
}
.viewer pre { font-size:75%; }
/* colour scheme begin */  
div#titleLine { background:#369;}
div#sidebarOptions { background:#696; }
div#sidebarOptions .button { color:#eef;}
div#sidebarOptions .button:hover { color:#fff; background:#252;}
div#mainmenu .tiddlyLink { font-weight:bold;color:#369;  }
div#mainmenu .tiddlyLink:hover { background:#369;color:white; }
div#mainmenu .button { fbackground:#363; font-weight:bold; color:#363; }
div#mainmenu .button:hover { background:#363;color:white; }
div.viewer a.tiddlyLink { color:#369; }
div.viewer a.tiddlyLink:hover { background:#acd; }
div.footer a.tiddlyLink { color:#369; }
div.footer a.tiddlyLink:hover { background:#acd; }
.editorFooter a.button, .tiddler .button { color: #369; background:#eee; }
.editorFooter a.button:hover, .tiddler .button:hover { color: #fff; background: #369; }
.editorFooter a.button:active, .tiddler .button:active { color: #fff; background: #369; }
.editorFooter a:link { color: #369; } 
#popup {color:#eee; background:#369;}
#popup a {color:#fff; background:#369; }
#popup a:hover {color:black; background:#eee;}
div.tabset {background:#696;}
a.tab {background:#369;}
#mainMenu .externalLink { color:#252; }
#mainMenu .externalLink:hover { color:white;background:#696; }
.tiddler .externalLink { color:#252; }
.tiddler .externalLink:visited { color:#252; }
.tiddler .externalLink:hover { color:#252;background:#ada; }
.viewer a:link { color: #252; } 
.viewer a:visited { color: #252; } 
.viewer a:hover { color:#252; background:#ada; }
#titleLine a {color:white;}
a.tabSelected {background:#369;font-weight:bold;}
#sidebarTabs {color: white;background-color: #69b;}
#sidebarTabs .tabSelected {color: white;background-color: #369;}
#sidebarTabs .tabUnselected                    {color: white;background-color: #369;}
#sidebarTabs .tabContents                       {background-color: #69c;}
#sidebarTabs .txtMoreTab .tabSelected      {background-color: #7ad;}
#sidebarTabs .txtMoreTab .tabUnselected   {background-color: #369;}
#sidebarTabs .txtMoreTab .tabContents      {background-color: #7ad;}
#sidebarTabs .txtMoreTab .tabset              {background-color: #69b;}
#sidebarTabs .tabContents .tiddlyLink         {color: #135;}
#sidebarTabs .tabContents .tiddlyLink:hover {background-color: #eee;color: black;}
#sidebarTabs .tabContents .button             {color: #eee;}
#sidebarTabs .tabContents .button:hover    {color: #white;background-color: #252;}
/* colour scheme end */

#displayArea {
	margin-right: 15.5em;
	margin-left: 13em;
}

// this works great in firefox but breaks something with ie. help??
// .toolbar {  float:right; }


.viewer h1,
.viewer h2,
.viewer h3,
.viewer h4,
.viewer h5 { font-family: 'Trebuchet MS' Arial sans-serif; background:#f8f8f8;  }

.viewer h1 { font-size:1.2em; }
.viewer h2 { font-size:1.1em; }
.viewer h3 { font-size:1.0em; }
.viewer h4 { font-size:0.9em; }
.viewer h5 { font-size:0.8em; }

body {
  background:#eee;
}

div.tiddler {
  background:white;
  border-top:solid #ccc 2px;
  border-left:solid #ccc 2px;
  border-bottom:solid #aaa 2px;
  border-right:solid #aaa 2px;
  margin-bottom:5px;
  padding-bottom:10px;
}


div.title {
  font-family:'Trebuchet MS' Arial sans-serif;
  font-size:150%;
}

div.editor input,
div.editor textarea {
 background:#ffe;
 border:solid #aa9 2px;
 margin:4px;


div.editor {
 font-size: 8pt;
 color: #402C74;
 font-weight: normal;
 padding: 10px 0;
}

.editor input, div.editor textarea {
 display: block;
 font: 13px/130% "Andale Mono", "Monaco", "Lucida Console", "Courier New", monospace;
 margin: 0 0 10px 0;
 border: 1px inset #333;
 padding: 2px 0;
}

.editor textarea{
 height: 500px !important;
}

}

@media print {
  div.tiddler {border:none white 0px; border-top:solid #bbb 1px;}
  div.tagged {border:none white 0px;}
  #titleLine { display:none; }
  #displayArea { margin-right: 0px; margin-left: 0px; }
  .toolbar { display:none; }
}


blockquote b{
 font-weight: normal;
}

blockquote:hover b{
 font-weight: bold;
}

#sidebar{
 width: 20em;
}





#mainMenu{
 position: static;
 width: auto;
 text-align: left;
}

#mainMenu, #mainMenu ul{
 margin: 0;
 padding: 0;
}

#mainMenu li{
display: inline;
margin: 0 .5em;
}

#mainMenu br{
 display: none;
}

#mainMenu a.button,#mainMenu a.tiddlyLink{
 color:#asd;
 padding: 3px;
}

#displayArea{
 margin: 0 19em 0 1em;
}

#sidebar .tabContents a.button:hover{
 background:#69c;
}

.tiddler{
-moz-border-radius: 10px;
}

.tab{
-moz-border-radius-topright: 6px;
-moz-border-radius-topleft: 6px;
}

.toolbar a.button{
-moz-border-radius: 3px;
}

.tabUnselected{
padding-bottom: 0;
}

#sidebarTabs .tabContents{
 width: 100%;
}

#sidebarTabs .tabSelected {
 color: white;
 background-color: #69c;
 padding: 4px 4px 2px 4px;
 cursor: default;
}

#mainMenu a{
-moz-border-radius-bottomright: 6px;
-moz-border-radius-bottomleft: 6px;
}

#mainMenu a.button:hover,#mainMenu a.tiddlyLink:hover{
 background: #369;
}

#messageArea{
 position: fixed;
 top: 5px;
 right: 10px;
 background:#ffe;
 border: 2px solid #aa9;
 color: #000;
}

#contentWrapper #messageArea a{
 color: #000;
 text-decoration: none;
}

#contentWrapper #messageArea a:hover{
 text-decoration: underline;
}

#titleLine{
 padding: 0 .5em;
}

#header{
 background-color: #2a537d;
 margin-bottom: 1em;
}
/*{{{*/
body {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
#Menubar Color
a {color:[[ColorPalette::MenuBarColor]];}
a:hover {background-color:[[ColorPalette::SecondaryMid]]; color:[[ColorPalette::Background]];}
a img {border:0;}

h1,h2,h3,h4,h5,h6 {color:[[ColorPalette::SecondaryDark]]; background:transparent;}
h1 {border-bottom:2px solid [[ColorPalette::TertiaryLight]];}
h2,h3 {border-bottom:1px solid [[ColorPalette::TertiaryLight]];}

.button {color:[[ColorPalette::PrimaryDark]]; border:1px solid [[ColorPalette::Background]];}
.button:hover {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::SecondaryLight]]; border-color:[[ColorPalette::SecondaryMid]];}
.button:active {color:[[ColorPalette::Background]]; background:[[ColorPalette::SecondaryMid]]; border:1px solid [[ColorPalette::SecondaryDark]];}


.header {background:[[ColorPalette::PrimaryMid]];}
.headerShadow {color:[[ColorPalette::Foreground]];}
.headerShadow a {font-weight:normal; color:[[ColorPalette::Foreground]];}
.headerForeground {color:[[ColorPalette::Background]];}
.headerForeground a {font-weight:normal; color:[[ColorPalette::PrimaryPale]];}

.tabSelected{color:[[ColorPalette::PrimaryDark]];
	background:[[ColorPalette::TertiaryPale]];
	border-left:1px solid [[ColorPalette::TertiaryLight]];
	border-top:1px solid [[ColorPalette::TertiaryLight]];
	border-right:1px solid [[ColorPalette::TertiaryLight]];
}
.tabUnselected {color:[[ColorPalette::Background]]; background:[[ColorPalette::TertiaryMid]];}
.tabContents {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::TertiaryPale]]; border:1px solid [[ColorPalette::TertiaryLight]];}
.tabContents .button {border:0;}

#sidebar {}
#sidebarOptions input {border:1px solid [[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel {background:[[ColorPalette::PrimaryPale]];}
#sidebarOptions .sliderPanel a {border:none;color:[[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel a:hover {color:[[ColorPalette::Background]]; background:[[ColorPalette::PrimaryMid]];}
#sidebarOptions .sliderPanel a:active {color:[[ColorPalette::PrimaryMid]]; background:[[ColorPalette::Background]];}

.wizard {background:[[ColorPalette::PrimaryPale]]; border:1px solid [[ColorPalette::PrimaryMid]];}
.wizard h1 {color:[[ColorPalette::PrimaryDark]]; border:none;}
.wizard h2 {color:[[ColorPalette::Foreground]]; border:none;}
.wizardStep {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];
	border:1px solid [[ColorPalette::PrimaryMid]];}
.wizardStep.wizardStepDone {background::[[ColorPalette::TertiaryLight]];}
.wizardFooter {background:[[ColorPalette::PrimaryPale]];}
.wizardFooter .status {background:[[ColorPalette::PrimaryDark]]; color:[[ColorPalette::Background]];}
.wizard .button {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::SecondaryLight]]; border: 1px solid;
	border-color:[[ColorPalette::SecondaryPale]] [[ColorPalette::SecondaryDark]] [[ColorPalette::SecondaryDark]] [[ColorPalette::SecondaryPale]];}
.wizard .button:hover {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::Background]];}
.wizard .button:active {color:[[ColorPalette::Background]]; background:[[ColorPalette::Foreground]]; border: 1px solid;
	border-color:[[ColorPalette::PrimaryDark]] [[ColorPalette::PrimaryPale]] [[ColorPalette::PrimaryPale]] [[ColorPalette::PrimaryDark]];}

#messageArea {border:1px solid [[ColorPalette::SecondaryMid]]; background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]];}
#messageArea .button {color:[[ColorPalette::PrimaryMid]]; background:[[ColorPalette::SecondaryPale]]; border:none;}

.popupTiddler {background:[[ColorPalette::TertiaryPale]]; border:2px solid [[ColorPalette::TertiaryMid]];}

.popup {background:[[ColorPalette::TertiaryPale]]; color:[[ColorPalette::TertiaryDark]]; border-left:1px solid [[ColorPalette::TertiaryMid]]; border-top:1px solid [[ColorPalette::TertiaryMid]]; border-right:2px solid [[ColorPalette::TertiaryDark]]; border-bottom:2px solid [[ColorPalette::TertiaryDark]];}
.popup hr {color:[[ColorPalette::PrimaryDark]]; background:[[ColorPalette::PrimaryDark]]; border-bottom:1px;}
.popup li.disabled {color:[[ColorPalette::TertiaryMid]];}
.popup li a, .popup li a:visited {color:[[ColorPalette::Foreground]]; border: none;}
.popup li a:hover {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; border: none;}
.popup li a:active {background:[[ColorPalette::SecondaryPale]]; color:[[ColorPalette::Foreground]]; border: none;}
.popupHighlight {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
.listBreak div {border-bottom:1px solid [[ColorPalette::TertiaryDark]];}

.tiddler .defaultCommand {font-weight:bold;}

.shadow .title {color:[[ColorPalette::TertiaryDark]];}

.title {color:[[ColorPalette::SecondaryDark]];}
.subtitle {color:[[ColorPalette::TertiaryDark]];}

.toolbar {color:[[ColorPalette::PrimaryMid]];}
.toolbar a {color:[[ColorPalette::TertiaryLight]];}
.selected .toolbar a {color:[[ColorPalette::TertiaryMid]];}
.selected .toolbar a:hover {color:[[ColorPalette::Foreground]];}

.tagging, .tagged {border:1px solid [[ColorPalette::TertiaryPale]]; background-color:[[ColorPalette::TertiaryPale]];}
.selected .tagging, .selected .tagged {background-color:[[ColorPalette::TertiaryLight]]; border:1px solid [[ColorPalette::TertiaryMid]];}
.tagging .listTitle, .tagged .listTitle {color:[[ColorPalette::PrimaryDark]];}
.tagging .button, .tagged .button {border:none;}

.footer {color:[[ColorPalette::TertiaryLight]];}
.selected .footer {color:[[ColorPalette::TertiaryMid]];}

.sparkline {background:[[ColorPalette::PrimaryPale]]; border:0;}
.sparktick {background:[[ColorPalette::PrimaryDark]];}

.error, .errorButton {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::Error]];}
.warning {color:[[ColorPalette::Foreground]]; background:[[ColorPalette::SecondaryPale]];}
.lowlight {background:[[ColorPalette::TertiaryLight]];}

.zoomer {background:none; color:[[ColorPalette::TertiaryMid]]; border:3px solid [[ColorPalette::TertiaryMid]];}

.imageLink, #displayArea .imageLink {background:transparent;}

.annotation {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; border:2px solid [[ColorPalette::SecondaryMid]];}

.viewer .listTitle {list-style-type:none; margin-left:-2em;}
.viewer .button {border:1px solid [[ColorPalette::SecondaryMid]];}
.viewer blockquote {border-left:3px solid [[ColorPalette::TertiaryDark]];}

.viewer table, table.twtable {border:2px solid [[ColorPalette::TertiaryDark]];}
.viewer th, .viewer thead td, .twtable th, .twtable thead td {background:[[ColorPalette::SecondaryMid]]; border:1px solid [[ColorPalette::TertiaryDark]]; color:[[ColorPalette::Background]];}
.viewer td, .viewer tr, .twtable td, .twtable tr {border:1px solid [[ColorPalette::TertiaryDark]];}

.viewer pre {border:1px solid [[ColorPalette::SecondaryLight]]; background:[[ColorPalette::SecondaryPale]];}
.viewer code {color:[[ColorPalette::SecondaryDark]];}
.viewer hr {border:0; border-top:dashed 1px [[ColorPalette::TertiaryDark]]; color:[[ColorPalette::TertiaryDark]];}

.highlight, .marked {background:[[ColorPalette::SecondaryLight]];}

.editor input {border:1px solid [[ColorPalette::PrimaryMid]];}
.editor textarea {border:1px solid [[ColorPalette::PrimaryMid]]; width:100%;}
.editorFooter {color:[[ColorPalette::TertiaryMid]];}

#backstageArea {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::TertiaryMid]];}
#backstageArea a {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::Background]]; border:none;}
#backstageArea a:hover {background:[[ColorPalette::SecondaryLight]]; color:[[ColorPalette::Foreground]]; }
#backstageArea a.backstageSelTab {background:[[ColorPalette::Background]]; color:[[ColorPalette::Foreground]];}
#backstageButton a {background:none; color:[[ColorPalette::Background]]; border:none;}
#backstageButton a:hover {background:[[ColorPalette::Foreground]]; color:[[ColorPalette::Background]]; border:none;}
#backstagePanel {background:[[ColorPalette::Background]]; border-color: [[ColorPalette::Background]] [[ColorPalette::TertiaryDark]] [[ColorPalette::TertiaryDark]] [[ColorPalette::TertiaryDark]];}
.backstagePanelFooter .button {border:none; color:[[ColorPalette::Background]];}
.backstagePanelFooter .button:hover {color:[[ColorPalette::Foreground]];}
#backstageCloak {background:[[ColorPalette::Foreground]]; opacity:0.6; filter:'alpha(opacity:60)';}
/*}}}*/
/*{{{*/
* html .tiddler {height:1%;}

body {font-size:.75em; font-family:arial,helvetica; margin:0; padding:0;}

h1,h2,h3,h4,h5,h6 {font-weight:bold; text-decoration:none;}
h1,h2,h3 {padding-bottom:1px; margin-top:1.2em;margin-bottom:0.3em;}
h4,h5,h6 {margin-top:1em;}
h1 {font-size:1.35em;}
h2 {font-size:1.25em;}
h3 {font-size:1.1em;}
h4 {font-size:1em;}
h5 {font-size:.9em;}

hr {height:1px;}

a {text-decoration:none;}

dt {font-weight:bold;}

ol {list-style-type:decimal;}
ol ol {list-style-type:lower-alpha;}
ol ol ol {list-style-type:lower-roman;}
ol ol ol ol {list-style-type:decimal;}
ol ol ol ol ol {list-style-type:lower-alpha;}
ol ol ol ol ol ol {list-style-type:lower-roman;}
ol ol ol ol ol ol ol {list-style-type:decimal;}

.txtOptionInput {width:11em;}

#contentWrapper .chkOptionInput {border:0;}

.externalLink {text-decoration:underline;}

.indent {margin-left:3em;}
.outdent {margin-left:3em; text-indent:-3em;}
code.escaped {white-space:nowrap;}

.tiddlyLinkExisting {font-weight:bold;}
.tiddlyLinkNonExisting {font-style:italic;}

/* the 'a' is required for IE, otherwise it renders the whole tiddler in bold */
a.tiddlyLinkNonExisting.shadow {font-weight:bold;}

#mainMenu .tiddlyLinkExisting,
	#mainMenu .tiddlyLinkNonExisting,
	#sidebarTabs .tiddlyLinkNonExisting {font-weight:normal; font-style:normal;}
#sidebarTabs .tiddlyLinkExisting {font-weight:bold; font-style:normal;}

.header {position:relative;}
.header a:hover {background:transparent;}
.headerShadow {position:relative; padding:4.5em 0em 1em 1em; left:-1px; top:-1px;}
.headerForeground {position:absolute; padding:4.5em 0em 1em 1em; left:0px; top:0px;}

.siteTitle {font-size:3em;}
.siteSubtitle {font-size:1.2em;}

#mainMenu {position:absolute; left:0; width:10em; text-align:right; line-height:1.6em; padding:1.5em 0.5em 0.5em 0.5em; font-size:1.1em;}

#sidebar {position:absolute; right:3px; width:16em; font-size:.9em;}
#sidebarOptions {padding-top:0.3em;}
#sidebarOptions a {margin:0em 0.2em; padding:0.2em 0.3em; display:block;}
#sidebarOptions input {margin:0.4em 0.5em;}
#sidebarOptions .sliderPanel {margin-left:1em; padding:0.5em; font-size:.85em;}
#sidebarOptions .sliderPanel a {font-weight:bold; display:inline; padding:0;}
#sidebarOptions .sliderPanel input {margin:0 0 .3em 0;}
#sidebarTabs .tabContents {width:15em; overflow:hidden;}

.wizard {padding:0.1em 1em 0em 2em;}
.wizard h1 {font-size:2em; font-weight:bold; background:none; padding:0em 0em 0em 0em; margin:0.4em 0em 0.2em 0em;}
.wizard h2 {font-size:1.2em; font-weight:bold; background:none; padding:0em 0em 0em 0em; margin:0.4em 0em 0.2em 0em;}
.wizardStep {padding:1em 1em 1em 1em;}
.wizard .button {margin:0.5em 0em 0em 0em; font-size:1.2em;}
.wizardFooter {padding:0.8em 0.4em 0.8em 0em;}
.wizardFooter .status {padding:0em 0.4em 0em 0.4em; margin-left:1em;}
.wizard .button {padding:0.1em 0.2em 0.1em 0.2em;}

#messageArea {position:fixed; top:2em; right:0em; margin:0.5em; padding:0.5em; z-index:2000; _position:absolute;}
.messageToolbar {display:block; text-align:right; padding:0.2em 0.2em 0.2em 0.2em;}
#messageArea a {text-decoration:underline;}

.tiddlerPopupButton {padding:0.2em 0.2em 0.2em 0.2em;}
.popupTiddler {position: absolute; z-index:300; padding:1em 1em 1em 1em; margin:0;}

.popup {position:absolute; z-index:300; font-size:.9em; padding:0; list-style:none; margin:0;}
.popup .popupMessage {padding:0.4em;}
.popup hr {display:block; height:1px; width:auto; padding:0; margin:0.2em 0em;}
.popup li.disabled {padding:0.4em;}
.popup li a {display:block; padding:0.4em; font-weight:normal; cursor:pointer;}
.listBreak {font-size:1px; line-height:1px;}
.listBreak div {margin:2px 0;}

.tabset {padding:1em 0em 0em 0.5em;}
.tab {margin:0em 0em 0em 0.25em; padding:2px;}
.tabContents {padding:0.5em;}
.tabContents ul, .tabContents ol {margin:0; padding:0;}
.txtMainTab .tabContents li {list-style:none;}
.tabContents li.listLink { margin-left:.75em;}

#contentWrapper {display:block;}
#splashScreen {display:none;}

#displayArea {margin:1em 17em 0em 14em;}

.toolbar {text-align:right; font-size:.9em;}

.tiddler {padding:1em 1em 0em 1em;}

.missing .viewer,.missing .title {font-style:italic;}

.title {font-size:1.6em; font-weight:bold;}

.missing .subtitle {display:none;}
.subtitle {font-size:1.1em;}

.tiddler .button {padding:0.2em 0.4em;}

.tagging {margin:0.5em 0.5em 0.5em 0; float:left; display:none;}
.isTag .tagging {display:block;}
.tagged {margin:0.5em; float:right;}
.tagging, .tagged {font-size:0.9em; padding:0.25em;}
.tagging ul, .tagged ul {list-style:none; margin:0.25em; padding:0;}
.tagClear {clear:both;}

.footer {font-size:.9em;}
.footer li {display:inline;}

.annotation {padding:0.5em; margin:0.5em;}

* html .viewer pre {width:99%; padding:0 0 1em 0;}
.viewer {line-height:1.4em; padding-top:0.5em;}
.viewer .button {margin:0em 0.25em; padding:0em 0.25em;}
.viewer blockquote {line-height:1.5em; padding-left:0.8em;margin-left:2.5em;}
.viewer ul, .viewer ol {margin-left:0.5em; padding-left:1.5em;}

.viewer table, table.twtable {border-collapse:collapse; margin:0.8em 1.0em;}
.viewer th, .viewer td, .viewer tr,.viewer caption,.twtable th, .twtable td, .twtable tr,.twtable caption {padding:3px;}
table.listView {font-size:0.85em; margin:0.8em 1.0em;}
table.listView th, table.listView td, table.listView tr {padding:0px 3px 0px 3px;}

.viewer pre {padding:0.5em; margin-left:0.5em; font-size:1.2em; line-height:1.4em; overflow:auto;}
.viewer code {font-size:1.2em; line-height:1.4em;}

.editor {font-size:1.1em;}
.editor input, .editor textarea {display:block; width:100%; font:inherit;}
.editorFooter {padding:0.25em 0em; font-size:.9em;}
.editorFooter .button {padding-top:0px; padding-bottom:0px;}

.fieldsetFix {border:0; padding:0; margin:1px 0px 1px 0px;}

.sparkline {line-height:1em;}
.sparktick {outline:0;}

.zoomer {font-size:1.1em; position:absolute; overflow:hidden;}
.zoomer div {padding:1em;}

* html #backstage {width:99%;}
* html #backstageArea {width:99%;}
#backstageArea {display:none; position:relative; overflow: hidden; z-index:150; padding:0.3em 0.5em 0.3em 0.5em;}
#backstageToolbar {position:relative;}
#backstageArea a {font-weight:bold; margin-left:0.5em; padding:0.3em 0.5em 0.3em 0.5em;}
#backstageButton {display:none; position:absolute; z-index:175; top:0em; right:0em;}
#backstageButton a {padding:0.1em 0.4em 0.1em 0.4em; margin:0.1em 0.1em 0.1em 0.1em;}
#backstage {position:relative; width:100%; z-index:50;}
#backstagePanel {display:none; z-index:100; position:absolute; margin:0em 3em 0em 3em; padding:1em 1em 1em 1em;}
.backstagePanelFooter {padding-top:0.2em; float:right;}
.backstagePanelFooter a {padding:0.2em 0.4em 0.2em 0.4em;}
#backstageCloak {display:none; z-index:20; position:absolute; width:100%; height:100px;}

.whenBackstage {display:none;}
.backstageVisible .whenBackstage {display:block;}
/*}}}*/
!__Publications__
!!Journal Publications
*D. Barlow, V. Vassiliou, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Traffic engineering based on local states in Internet protocol-based radio access networks," accepted IEEE Journal of Communications and Networks.
*S. Krasser, J. Grizzard, H. Owen, and J. Levine, "The use of honeynets to increase computer network security and user awareness," in Journal of Security Education, pp. 23-37, vol. 1, no. 2/3.
!!Conference Publications
* J. Grizzard, C. Simpson, Jr., S. Krasser, H. Owen, and G. Riley, "Flow Based Observations from NETI@home and Honeynet Data," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 244-251.
* S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, "~Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 42-49.
* S. Krasser, H. Owen, J. Sokol, H.-P. Huth, and J. Grimminger, "Adaptive per-flow traffic engineering based on probe packet measurements," accepted CNSR 2005.
* H. Altunbasak, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Securing layer 2 in local area networks," accepted IEEE ICN 2005.
* H. Altunbasak, S. Krasser, H. Owen, J. Sokol, J. Grimminger, and H.-P. Huth, "Addressing the weak link between layer 2 and layer 3 in the Internet architecture," in Proc. IEEE International Conference on Local Computer Networks, Tampa, Florida, USA, pp. 417-418, November 2004.
*J. Grizzard, S. Krasser, H. Owen, G. Conti, and E. Dodson, "Towards an approach for automatically repairing compromised network systems," in Proc. 3rd IEEE International Symposium on Network Computing and Applications, Cambridge, Massachusetts, USA, pp. 389-392, August 2004.
*S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Online traffic engineering and connection admission control based on path queue states," in Proc. IEEE ~SoutheastCon 2004, Greensboro, North Carolina, USA, pp. 255-260, March 2004.
*S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Probing available bandwidth in radio access networks," in Proc. IEEE Global Communications Conference 2003, San Francisco, California, USA, vol. 6, pp. 3437-3441, December 2003.
*S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Distributed bandwidth reservation by probing for available bandwidth," in Proc. IEEE International Conference on Networks 2003, Sydney, Australia, pp. 443-448, September 2003.
*S. Krasser, H. Owen, D. Barlow, J. Grimminger, H.-P. Huth, and J. Sokol, "Evaluation of the local state fair share bandwidth algorithm," in Proc. International Conference on Telecommunications 2003, Papeete, French Polynesia, vol. 2, pp. 911-916, February 2003.

IS410
Systems Analysis
IS420
Advanced Database
IS450
Web Programming I
Acct 201
Intro to Accounting
!Overview
In cooperation with the [[Honeynet Research Alliance|http://project.honeynet.org/alliance/]], students, faculty, and network administrators of the [[Georgia Institute of Technology|http://www.gatech.edu/]] are involved in a research project aimed at improving the security of the Georgia Tech campus network in addition to improving overall Internet security. We have established a network of honeypots (counterfeit hosts) known as a honeynet within the Gerogia Tech IP address range. This honeynet is accessable from both the Internet and within the campus network and is subject to frequent intrusions and attacks. The honeynet has been established with monitoring capabilities to observe and record this intrusion and attack activity. The main objective of the Georgia Tech honeynet is to increase the overall security of the Georgia Tech campus network by observing the actions of would-be attackers of Georgia Tech systems. For more information on honeypots and honeynets, see the Honeynet Project's [[Know Your Enemy|http://www.honeynet.org/papers/]] series of papers.

!Related Publications
For a specific description of the employment of the honeynet on the Georgia Tech campus network, see the paper titled: "[[The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks|http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/honeynet_IAW2003.pdf]]" presented at the Fourth IEEE SMC Information Assurance Workshop at West Point, NY in June, 2003. More of our findings have been published in the scope of [[Know Your Enemy|http://www.honeynet.org/papers/honeynet/]] Whitepapers. In "[[Know Your Enemy: Honeynets in Universities|http://www.honeynet.org/papers/edu/]]," we share some of the experiences we had with deploying and running the honeynet on campus.

!Pcap Anonymization
We would like to share some of our logs with the community; however, in order to share the data, the logs must be anonymized. We have recently begun work on an anonymization project. Read about [[Honeynet Network Capture Anonymization]] for information on our anonymization techniques.

!Honeynet Reports
    * [[March 2006 – March 2007]]
    * [[October 2005 – March 2006]]
    * [[March 2005 – September 2005]]
    * [[October 2004 – March 2005]]
    * [[April 2004 – September 2004]]
    * [[January 2004 – March 2004]]
    * [[October 2003 – December 2003]]

!Intrusion Analysis
    * [[Intrusion Analysis November 2003]]
    * [[Intrusion Analysis September 2004]]

!More Resources
[[Honeynet Research at Georgia Tech|documents/honeynet_research.pdf]] — Presentation for the Security Seminar Spring 2005 by Julian Grizzard

!Contact
Contact Chris Lee (chrislee@gatech.edu) for any questions or comments.
!PI:  [[Kevin Fairbanks]]

TimeKeeper is an ongoing project involving the forensic analysis of honeypot file systems.  It enables inode data to be archived so that honeypot adminstrators can more accurately ascertain what has transpired.  TimeKeeper is not meant to act as a stand alone agent in the logging of data, but to work as a piece of a forensic framework.

!Currently Supported File Systems
*Ext3
// //[[Alan Watson|http://www.alan-watson.org/]]
// //2 September 2005

// //Standard ~TiddlyWiki implicitly links ~WikiWords. This plugin changes that behaviour, causing ~WikiWords and ~WikiWordEscapes to be treated as normal text. You can still make explicit links to tiddlers using [ [ and ] ].

// //To use this plugin, copy this tiddler to your ~TiddlyWiki and tag it with systemConfig.

// //The code really is a bit of a hack. It would be cleaner to add a boolean option and a tiny bit of logic to Tiddler.prototype.changed and wikifyLinks. Instead, we change the ~WikiWord regular expresssion to use reversed ~BOMs, which should not appear in well-formed text.

{{{
wikiNamePattern = "(\uFFFE)(\uFFFE)";
setupRegexp();
for (var t in store.tiddlers)
   store.tiddlers[t].changed();
}}}
!Current Undergraduate Researchers
*''Research''
**Network Traffic Approximation and Analysis
**Computer networks have become a ubiquitous part of modern society.  As the spread of networks continues to increase, so do the various applications for the underlying technology. Thus traffic classification has become and remains important to network administrators.  Networks are typically represented using discrete statistical models. Discrete statistical models are computationally expensive and utilize a significant amount of memory.  A continuous piecewise polynomial model is proposed to address the shortcomings of discrete models. This approach is beneficial because it utilizes little memory and yields more descriptive approximations than discrete flow statistics. Preliminary results demonstrate that, multi-dimensional piecewise polynomial models can classify network traffic as web page, email, instant messaging, and video based on visual inspection. 
**Graduate Mentor: Kevin Fairbanks 

| ''Sean Sanders'' |  ''Sahitya Jampana'' |
| [[ORS Participant  | http://www.ece.gatech.edu/enrichment/ors/]] |  [[ORS Participant | http://www.ece.gatech.edu/enrichment/ors/]] |
| [img[images/people/sean_sanders.jpg]] | [img[images/people/sahitya_jampana.jpg]] |
| Fall 2008 - Spring 2010 | Fall 2009 - Spring 2010 |
*''Publications''
**Sean Sanders, Kevin Fairbanks, Sahitya Jampana, Henry Owen III, "Visual Network Traffic Classification Using ~Multi-Dimensional Piecewise Polynomial Models, " Accepted, IEEE ~SoutheastCon 2010, ~Charlotte-Concord, NC.
**Sean Sanders, "Network Forensic Analysis using Piecewise Polynomials", Accepted, [[The Tower:| http://gttower.org/ ]] The Undergraduate Research Journal of the Georgia Institute of Technology
*''Awards''
**Sean Sanders, President's Undergraduate Research Travel [[(PURA)|http://undergradresearch.gatech.edu/funding.php]] Award, Spring 2010 
**Sean Sanders, President's Undergraduate Research Award [[(PURA)|http://undergradresearch.gatech.edu/funding.php]],  Spring 2009 
**Sean Sanders, [[United Negro College Fund (UNCF) Google Scholarship | http://googleforstudents.blogspot.com/2009/08/announcing-our-2009-google-united-negro.html ]]

!Past Undergraduate Researchers
*''Research''
**~BlackBerry IPD Parsing with External Data Source Correlation and Visualization
**Abstract
**In this research, students studied the ~BlackBerry IPD file and developed a framework for parsing it to aid in open source forensics.  They further examined other information sources such as email client and instant messenger logs to determine whether this data could be retrieved and correlated with the IPD data to build a profile of a subject.  The final part of this project was to research methods to visualize the data that was gathered so that a non-technical user could understand the relationship between different objects such as names, phone number, email address, and various aliases.
**Graduate Mentor: Kevin Fairbanks

| ''Kishore Atreya'' | ''Kevin Martin'' |
| [img[images/people/kishore_atreya.jpg]] | [img[images/people/kevin_martin.png]] |
| Fall 2008 - Fall 2009 | Spring 2009 - Fall 2009 |

*''Publications''
**Kevin Fairbanks, Kishore Atreya, Henry Owen. [["BlackBerry IPD Parsing for Open Source Forensics"| papers/Fairbanks_IEEE_SouthEastCon_2009.pdf]] IEEE ~SouthEastCon 2009.  Atlanta, GA.  IEEE Southeastcon, 2009.  Atlanta, GA.  March 2009, pp. 195 - 199.
*''Awards''
**Kishore Atreya, President's Undergraduate Research Travel [[(PURA)|http://undergradresearch.gatech.edu/funding.php]] Award, Spring 2009 
/%
----
| !Geller Bedoya |
| [[ORS Participant  | http://www.ece.gatech.edu/enrichment/ors/]] |
| [img[images/people/mystery.jpg]] |
| ''Mentor:'' [[Kevin Fairbanks]] |
*''Research''
**Fall 2008 - Spring 2009
*''Awards''
**President's Undergraduate Research Award [[(PURA)|http://undergradresearch.gatech.edu/funding.php]],  Spring 2009 
%/
// //''Name:'' UntaggedTiddlers plugin
// //''Version:'' 0.1.0  (June 16, 2005)
// //''Author:'' SteveRumsby

// //''Code section:''
version.extensions.untaggedTiddlers = {major: 0, minor: 1, revision: 0, date: new Date(2005, 6,16)};

config.macros.list["untagged"] = {prompt: "Tiddlers that are not tagged"};

config.macros.list.untagged.handler = function(params)
{
//displayMessage("Building list of untagged tiddlers");
 var results = [];
 for(var t in store.tiddlers) {
 var tiddler = store.tiddlers[t];
 if(tiddler.getTags() == "")
 results.push(t);
 }
 results.sort();
 return results;
}
[[Screen|http://www.linuxmanpages.com/man1/screen.1.php]] - Allows the multiplexing of a single tty terminal into multiple windows.
[[Screen Cheat Sheet|http://www.scribd.com/doc/353393/screen-cheat-sheet]]

[[XNEE|http://www.gnu.org/software/xnee/]] - A suite of programs that can record, replay, and distribute user actions under the X11 environment.
!__Research Topic__
Establishing Trust in Blackbox Programs:
The objective of this research is to develop a new method of program monitoring to overcome the encrypted nature of programs such as Skype and to present an architecture that allows users to develop trust with encrypted programs. Developing such a technique is important due to the increasing number of corrupted programs and computer viruses that are being spread over the Internet. If users have no method of observing program behavior during execution, then it is possible for compromised programs to perform malicious activity without their knowledge. Existing program monitoring techniques typically have some baseline assumptions that are no longer guaranteed by encrypted programs, such as the existance of behavioral patterns and the visibility of memory resident program instruction code during execution. Thus, there exists the necessity for the development of an architecture specifically targeting the ability to monitor black­box programs. 

!__Publications__
*Kevin D. Fairbanks, Ying H. Xia, Henry L. Owen III, "<html><a href="papers/Fairbanks_COMPSAC_CFSE_2009.pdf">A Method for Historical Ext3 Inode to Filename Translation on Honeypots</a></html>," Computer Software and Applications Conference, Annual International, vol. 2, pp. 392-397, 2009 33rd Annual IEEE International Computer Software and Applications Conference, 2009.
*Ying Xia, Kevin Fairbanks, Henry Owen. "<html><a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">Visual Analysis of Program Flow Data with  Data Propagation.</a></html>" Proceedings of the 5th international workshop on Visualization for Computer Security.   Cambridge, MA.  September 2008, pp. 26-35.
*Ying Xia, Kevin Fairbanks, Henry Owen. "<html><a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">A Program Behavior
Matching Architecture for Probabilistic File System Forensics.,</a>" accepted <i> ACM SIGOPS Operating Systems Review special issue on Computer Forensics.</i></html> Vol. 42, Iss. 3.  April 2008, pp 4-13.
* Kevin D. Fairbanks, Christopher P. Lee, Ying H. Xia, Henry L. Owen III. “<html><a href ="papers/Fairbanks_IAW07.pdf">TimeKeeper: A Metadata Archiving Method for Honeypot Forensics.</a></html>” 8th Annual IEEE SMC Information Assurance Workshop. West Point, NY. 20-22 June 2007
* Xia, Y., Fairbanks, K., Owen, H. "<html><a href = "papers/blackbox.pdf">Establishing trust in black-box programs.</a>" SoutheastCon, </html>2007. IEEE, Vol., Iss., March 2007, pp. 462-465. 
!__Publications__
*~Yu-Xi Lim and Henry Owen, "Secure wireless location services," in Proceedings of IEEE ~SoutheastCon 2007, 22-25 Mar, 2007.
//Macro: newNote
//Author: Clint Checketts
//Version: 1.0 Sept 12, 2005

//usage: <<newNote "Note for IS 410" "IS410 Notes- Sept/07" Tag1 Tag2 OtherTag> >   
//example: < <newNote (button text) (title for the created tiddler) (default tags, unlimited) > >

version.extensions.newNote = {major: 0, minor: 1, revision: 0, date: new Date(2005,8,15)};
config.macros.newNote = {label: "new note (this.label isn't used anymore)", prompt: "Create a new tiddler from the current date and time as title and tag"};

config.macros.newNote.handler = function(place,macroName,params)
{
    var now = new Date();
    var title = now.formatString(params[1].trim());
    var createNote = function() {
        displayTiddler(null,title,2,null,null,false,false);
        var tagsBox = document.getElementById("editorTags" + title);
        tagsBox.value = "";
        if(tagsBox && params[2])
            for(var i=2; i < params.length; i++) {
                if(params[i]) tagsBox.value += " "+String.encodeTiddlyLink(params[i]);
             }
	var e = document.getElementById("editorBody" + title);
	e.focus();
	e.select();
        };
    createTiddlyButton(place,params[0],this.prompt,createNote);
}
This is a random collection of L4 notes until we get enough content to organize.
!__Links__
*[[L4 Fiasco homepage|http://os.inf.tu-dresden.de/fiasco/]]
*[[L4 lecture slides|http://os.inf.tu-dresden.de/Studium/KMB/SS2004/]]
*[[L4Linux homepage|http://os.inf.tu-dresden.de/L4/LinuxOnL4/]]
*[[L4 system call C-bindings reference manual (L4 version 2)|http://os.inf.tu-dresden.de/l4env/doc/l4sys-l4v2/]]
*[[Subscribe to l4-hackers mailing list|http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers]]
*[[L4-hackers mail archive|http://os.inf.tu-dresden.de/pipermail/l4-hackers/]]
*[[Manpages for L4/x86 and Fiasco system calls and services|http://os.inf.tu-dresden.de/L4/l4man.html]]
*[[Manpage for Fiasco kernel|http://os.inf.tu-dresden.de/fiasco/man.html]]
*[[L4 Environment|http://os.inf.tu-dresden.de/l4env/]]
*[[Multiboot specification|http://orgs.man.ac.uk/documentation/grub/multiboot.html]]
*[[Linux System Calls|http://www.cs4nerds.com/school/resources/syscalls.htm]]
*[[Linux Source Code|http://lxr.linux.no]]
*[[Export of Sys Call Table|http://seclists.org/lists/linux-kernel/2002/Oct/1192.html]]
!__Installation Notes__
*[[20041021 Installation Notes for Hello World Example|20041021_l4_install.notes]]
*[[20050523 Installation Notes for Hello World Example|20050523_l4_install.notes]]
*[[20050629 Installation Notes for L4Linux-2.6|20050629_l4linux26_install.notes]]

!__20050706 Test Box Setup Notes__
# install debian from CD
# add sources to /etc/apt/sources.list 
##e.g.
##deb http://mirrors.kernel.org/debian/ sarge main
##deb http://mirrors.kernel.org/debian/ sarge contrib
##deb http://mirrors.kernel.org/debian/ sarge non-free
##deb-src http://mirrors.kernel.org/debian/ sarge main
##deb-src http://mirrors.kernel.org/debian/ sarge contrib
##deb-src http://mirrors.kernel.org/debian/ sarge non-free
##deb http://security.debian.org/ sarge/updates main
##deb http://security.debian.org/ sarge/updates contrib
##deb http://security.debian.org/ sarge/updates non-free
# apt-get install ssh
# setup public key:
##scp ~/.ssh/id_rsa.pub ${1}:
##ssh ${1} "mkdir -p .ssh && cat id_rsa.pub >>.ssh/authorized_keys"
##ssh ${1} "chmod og-rwx .ssh/authorized_keys"
##ssh ${1} "rm id_rsa.pub"
##WHERE ${1} is of the form @
#add development IP to /etc/hosts file
#apt-get install gcc-2.95 gcc binutils-doc cpp-doc make manpages-dev autoconf automake libtool flex bison gdb gcc-doc gcc-3.3-doc libc-dev libc6-dev libncurses5-dev gawk module-init-tools g++ python zlib1g zlib1g-dev latex latex2html transfig tetex-extra vim-full cvs
#cd /usr/bin
#rm gcc
#ln -s gcc-2.95 gcc
#scp grub from /group/logger/20050523_fiasco_cvs/grub
#cd grub
#./configure
#make
#make install
#/usr/local/sbin/grub-install /dev/hda1
!__RMGR Congiguration Example - Limit ~L4Linux Memory__

__Contents of menu.lst file:__
title ~L4Linux
   root (hd0,0)
   kernel /boot/rmgr_mod -sigma0 -configfile
   modaddr 0x02000000
   module /boot/main -nokdb -nowait -serial -comport 1
   module /boot/sigma0
   module /boot/rmgr.cfg
   module /boot/vmlinuz.V2 no-scroll no-hlt l4irqack=linux root=/dev/hda1
__Contents of rmgr.cfg file:__
task modname "vmlinuz"
memory max 0x10000000 in [0, 0x10000000]

end
!__Directory/File Locations__
main kernel source
DIR: l4/kernel/fiasco/src/kern

interrupt descriptor table
FILE: l4/kernel/fiasco/src/kern/shared/idt.cpp

linux sys calls
FILE: l4linux-2.4/arch/l4/kernel/entry.S

L4 emulates syscalls
DIR: l4linux-2.4/arch/l4/emulib/

L4 emulates syscalls - main
FILE: l4linux-2.4/arch/l4/emulib/user.c
!__L4 ~APIs __
Notes from [[l4-hackers mailing archive|http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers]] (March 14, 2003):

There are currently three L4 ~APIs in more or less widespread use:
-//Version 2//, //Version X.0//, and //Version X.2// (aka, Version 4)
!!*Version 2
This is the original L4 API as implemented in Jochens assembly kernels. The API supports 64 bit thread ~IDs with subfields containing (among other things) the thread no, task no, chief no, and version no.

The chief field of the thread ID is used for implementing the Clans & Chiefs security model. A thread within a Clan can only communicate with other threads within the Clan, or the Chief of the Clan. Any attempt to communicate with any outside parties are automatically redirected to the Chief. The Chief is then used to enforce the communication security policies for the threads within its Clan.

Having large thread ~IDs also enables a relatively large number of threads/tasks to be created. However, the fixed amount of bits allocated to thread numbers and task numbers still makes the scheme unsuitable for many purposes. (There can only be a fixed amount of threads within a task. For most purposes this amount is way to high. For other purposes the amount of threads within a task is to low.) The fixed association of threads to tasks also makes it impossible to migrate a thread to another address spaces---an important operation for NUMA systems.

      The original Version 2 API is very ia32 specific. ~APIs for other architectures (e.g., MIPS and Alpha) have been ported to the Version 2 API in ad hoc ways.

      Fiasco implements the Version 2 API.
!!*Version X.0
This API was targeted at dealing with some of the problems experienced with the Version 2 API. The API is very similar to Version 2, the most notable differences being the 32 bit thread ~IDs and the lack of Clans & Chiefs.

The change in the thread ID came about because the Version 2 thread ~IDs were found to be unwieldly and inflexible. Reducing the ID to 32 bits freed up one register for other purposes and made thread ID handling more efficient. The freed up register enabled the IPC ABI to be use 50% more registers (i.e., 3 instead of 2) for register only IPC transfer. This boosted performance for many common micro kernel applications.

The Clans and Chiefs model of Version 2 was found to be way to inefficient for most purposes (the overhead of redirection was too great). The scheme is also unflexible since a thread is tied to a Chief for the complete lifetime of the thread (the Chief is specified in the thread ID). This prevents dynamically changing security policies to be implemented efficiently. With Version X.0 we experimented with other ways to deal with security policies. Most notable is a more flexible and efficient IPC redirection scheme (implemented in IBM internal versions of L4, not in Hazelnut).

It should be noted that the Version X.0 API was not meant to necessarily solve all the problems with the Version 2 API. Rather, the API was meant as an experimental, albeit very stable, test-bench (hance the X in the version number) to try out new ideas. It was merely meant as a step in the direction of what we envisioned the new improved next generation microkernel API to look like. In particular, the API does not solve all the issues related to flexible and efficient security policy management.

      Hazelnut implements the Version X.0 API.
!!*Version X.2 (aka. Version 4)
This API aims at solving many of the problems we identified while working with the X.0 API. The task ~IDs are now completely separated from the thread ~IDs; task (address space) and thread management is separated. The memory management is more flexible. The IPC operation is more powerful and allows for medium and short size messages to be transferred more efficiently. There is support for multiprocessing, and the API enables better control over processor and system resources.

The most notable difference for the users of the new API is that there is now a clear separation between API and ABI. This makes Version X.2 (Version 4) compliant L4 applications much more portable.

Pistachio implements the Version X.2 API. Current architectures supported by Pistachio are: ia32, ia64, ~PowerPC, MIPS, and Alpha. The Version X.2 API is meant to eventually stabilize and become Version 4.

!__CVS Notes__

--Update repository:
cvs up -dP
!__Sys Call Locations__
[[L4Linux-2.4 System Call Locations]]

[[L4Linux-2.6 System Call Locations]]

[[L4Linux-2.4 System Calls]]
!__Rebooting Linux 2.6 Reboots System__

In l4linux-2.6/arch/l4/kernel/main.c --- main.c
+++ main.c
@ @ -36,6 +36,7 @ @
 #include
 #include
 #include
 +#include

 #include
 #include
@ @ -847,6 +848,7 @ @
     l4xi_linux_main_exit_recv(&main_id, &server_env);

        ~LOG_printf("Terminating ~L4Linux.\n");
 +    l4util_reboot();
        return 0;
 }
!__Names Module__

include file: l4/pkg/names/include/libnames.h
*int names_register(const char* name);
*int names_register_thread_weak(const char* name, l4_threadid_t id);
*int names_unregister(const char* name);
*int names_unregister_thread(const char* name, l4_threadid_t id);
*int names_query_name(const char* name, l4_threadid_t* id);
*int names_query_id(const l4_threadid_t id, char* name, const int length);
*int names_waitfor_name(const char* name, l4_threadid_t* id, const int timeout);
*int names_query_nr(int nr, char* name, int length, l4_threadid_t *id);
*int names_unregister_task(l4_threadid_t tid);
*int names_dump(void);
!__L4Linux task with L4 IPC __
Good example of creating an ~L4Linux task that can do L4 IPC as well: l4/pkg/loader/examples/dump-l4/