Research Paper on Emerging Technologies


A Case Study will be held as an academic symposium during the midterms week to discuss various emerging technologies in the field of information security. Each group will be tasked to research on a specified topic, explore and answer key issues about the subject.

As its culminating activity, an academic paper with a required format will be submitted and a 15-minute presentation will be presentation will be presented with the classmates and special faculty and industry guests. Question and answer will be followed after the presentation.


  1. Security in Social Networking Sites
    1. Cite current issues pertaining to crimes/violations in social networking sites. Describe the usual scenarios.
    2. Show some statistics on social networking related crimes.
    3. What are the actions taken by social networking organizations and government agencies?
    4. How do you see the future of social networking sites? Future attacks and remedy?
  2. Mobile Malware
    1. Can mobile devices get infected by malware?
    2. State news about devices getting infected. What happens to these devices?
    3. Show statistics on mobile malware.
    4. Is there an initiative from AV companies and government about it?
    5. How do you prevent mobile devices from getting infected?
  3. Business Continuity Planning (BCP) for Disaster Prone Areas
    1. Cite news of business disruption due to a disaster and its effects on the business.
    2. Show statistics of business losses due to either natural or man-made disasters.
    3. Are there initiatives/laws that require businesses for BCP?
    4. Discuss usual business continuity planning and disaster management and recovery plans.
    5. Discuss any standard/template regarding BCP.
  4. Internet Surveillance
    1. Is Internet surveillance possible?
    2. What are ways to conduct Internet surveillance?
    3. What are limitations of current security capabilities?
    4. What are solutions for existing Internet surveillance?
  5. Cybercrime Laws and Issues (choose scope)
    1. Discuss current cybercrime laws. (if there are any)
    2. Discuss issues that warrant cybercrime laws. Prove that there is a need for these laws.
    3. Discuss limitations and or threats of these cybercrime laws.
    4. Discuss if there is a need for more laws.
  6. Security in Automated Controlled Vehicles
    1. What are automated controlled vehicles?
    2. Why is there a need for automated controlled vehicles?
    3. Research companies that are utilizing these types of vehicles.
    4. Research for news that show threats on automated controlled vehicles.
    5. Discuss solutions for automated controlled vehicles.
  7. Drones
    1. History on the implementation of drones.
    2. News and development on drones.
    3. What are positive and negative issues (factual) on drones?
    4. Do drones bypass due process?
    5. Do drones violate privacy and freedom?


The Case Study is 10% of your final grade.

Group Grade is 70% (to be given by the professor)

Individual Grade is 30% (to be given by the group leader; leader gets 100% in the individual grade)


Content (Paper) – 50%

Is the paper complete and comprehensive?

Mastery – 30%

Is the group knowledgeable on the topic?

Did the group have the ability to analyze related real-world problems?

Did the group answer the related questions?

Delivery – 10%

Did the group communicate the message properly?

Presentation – 10%

Did the presentation contain creative and comprehensible visuals?

Required Sections in the Paper

Section Description


Abstract Your abstract is a maximum of 200-word summary of your case study. It describes briefly about your topic and what you intend to research further. You are establishing the boundaries of your study in the abstract.


Introduction The introduction is a maximum of 300-word overview of the topic. This means you need to discuss the current technology of your topic. Discuss the features, benefits and limitations of the current technology.


Problem Statement Based on your introduction, you have to establish your problem statement. What are the problems or issues that the current technology is facing? You have to state that piece by piece and justify why it has to be resolved.


Results and Discussion Research and establish the solutions for the problems found in the problem statement. Explain processes and procedures of the solutions that you recommend and how it can be done.


Conclusion and Recommendation Provide a conclusion of the case study that you have conducted. Based on your study, will your solutions be helpful in resolving the issues in the problem statement? Give recommendations that can be further investigated and researched in the future to strengthen your study. Make sure the recommendation is out of the scope of your study.


References List all the references for your case study. You need to follow the IEEE reference format. For your guidance, you need to have at least:

Five (5) technical references related to the topic (journal, scientific publication, conference proceeding)

Five (5) news article reference related to the topic (newspaper, magazine)

Three (3) books related to the topic.

Note: Never plagiarize. It’s equivalent to cheating.


Format of paperMSW_A4_format

For the presentation:
1. Create a presentation of your paper. It should be a summary of all sections: Abstract, Introduction, Problem Statement, Discussion, Conclusion.
2. Follow the 6×6 rule. Each slide should have a maximum of 6 bullet points with maximum of 6 words per bullet point.
3. Use interesting font/colors. Use images that will help explain your paper.
4. Everybody should have a part in the presentation.
5. You have 15 minutes to present your paper followed by Q&A.
6. Wear business attire for the presentation.

1. Send a PDF copy of your final paper and PPT presentation to & with Subject- Case Study Final Deliverable – (Case topic) by Group (Group Name)
2. Print a hard copy of the paper.
3. Submit (1) & (2) requirements before the class.

Sample papers:

On Social Networking: Online Peers Can Mean Offline PerilsOnline Peers Can Mean Offline Perils-Presentation

On Mobile Malware: Prevalence of Malware in Mobiles (1)Prevalence of Malware in Mobiles

On Internet Surveillance: Internet Surveilance by Team ZAFT_presentInternet Surveilance by Team ZAFT draft 4

On Social Networking: Using Facebook in TOR, INFOSEC PDF

On Internet Surveillance: Internet Surveillance

On Drones: Drones Case Study (1), Drones

On Cybercrime Law: Revised-Cybercrime

On Mobile Malware: Mobile-Malware-A-Case-Study-in-Information-Security-1


Is there really value in an IT Certification?

What is the real validation that you are knowledgeable in a field you’re claiming to be an expert in? Expert is a very dangerous and overrated term and usually lambasted by Powerpoint consultants. I agree that experience is the best teacher but it becomes helpful if the experience is ‘fruitful’. I had a conversation with a former colleague of mine who told me that it doesn’t matter if you have 10 years of experience if the function is just the same. You become knowledgeable about this specific work in the first year and repeat it in the next 9 years. Is that 10-year experience then significant? Or this experience only has the same weight as an employee in its second year doing the same job?

There is a perpetual debate whether there is value in an IT certification. Some say that certification validates your knowledge of the subject matter while others say that it is just a marketing strategy of vendors. Some say that you can pass certification by just memorizing stuff or worse, cheat to pass. However, I think we have to put into perspective the reason why these certifications are created.

I think the reasons why certifications exist are to standardize, validate and educate. Now, I know for a fact that nothing beats experience. It invalidates, however, this fact if you just ping the servers, assign IPs to computers and create an Excel report using the Pivot table for the next 20 years. Certification is a qualification. If you say in an HR interview, “I’m an expert in database management.” but you don’t have any certification to support that, then how can you claim this assertion? Probably you will answer, “My peers, friends, and parents can vouch for me.” Unfortunately, HR won’t take your parents’ word for your skill something objective. Looking at the other side, the good question could be, “If you are good in Database, why don’t you just take a DB2 exam to validate it?”

Lastly, I think certifications try to cover all the topics, not just some points you’re expert in. Because it is a standard, it teaches you how to, for example, program properly and efficiently. It teaches you other techniques that you may not have known or tried yet.
Experience and certification complement each other. However, you cannot discredit the benefits of having a certification. Similarly, most IT jobs require that you are a graduate of a 4-year course. That is the first qualification. Regardless of whether you have 10 years of experience, you need to be a graduate to be qualified. It might just be a piece of paper, but that is the qualification.

I encourage my students in college to take certification exams as early as possible if they think they are ready and prepared. This helps them build their confidence and portfolio. Once they graduate, probably tens of thousands of IT graduates will be competing for jobs available. How will you stand out if you’re competing with students from top schools or those who graduated with honors? I strongly believe certifications will be of great value.

Admittedly, I had horrible experiences with “certified professionals” who are incompetent with their areas of expertise. I had an experience where I asked what protocol is ICMP (ping) and he insisted that it is using TCP. He was a Cisco Certified Networking Professional (intermediate certification). Of course, he didn’t get the job. But these scenarios happen in different venues. In the academe, there are Ph.D.’s who ironically don’t know how to cite sources properly. I mean there are good and bad apples. At the end of the day, the first question is, are you qualified? And the second is, can you verify that you are qualified?

It’s like, you claim you know how to drive because you know how to drive. But no matter how good your driving skills are, you cannot drive without a license.

Similarly… some very bad drivers have licenses.

Vulnerability Scanning & Risk Mitigation Project

In INFOSEC, the focus of the discussion is a bird’s eye view of the different domains of Information Security. More importantly, the curriculum followed is the CompTIA Security+ lessons. The final project’s objective is to be able to explore on security tools and software such as firewall, IDS, honeypot and to demonstrate the functionalities by doing test scenarios.

For COMSEC1, the focus shifts into a more specific topic on ethical hacking. The course discusses the steps on ethical hacking and its importance. For the final project, students are required to conduct a static code analysis and vulnerability scan in an existing project and fix the risks to an acceptable risk level.

Some of the projects include:

Web application – Web_COMSEC1

Mobile application – Mobile_COMSEC1

Information Security & Ethical Hacking 101 @ PATTS

Last July 31, 2015, I gave a talk about Information Security and Ethical basics at PATTS College of Aeronautics in Paranaque City. It was quite challenging because the audience were not familiar with IT concepts.

I started by showing them local news about hacking data in banks. Then I established the need for the information security field. I discussed the core concepts of information security.

I also talked about the steps in ethical hacking and the reason why it has to be conducted routinely. Lastly, I stressed the need for a cybercrime law that will protect our data handled by third-party organizations.

The presentation I used and created can be found here: PATTS_Infosec&EthicalHacking101

Special thanks to Prof. Diana Lachica for inviting me to their campus. 🙂

Photo Credit: Ashley Dy

10984111_1030960710256090_2495478400270029599_n 11145182_1030960843589410_5172429549901189908_n 11693961_1030960750256086_6222822229063846860_n 11813264_1030960723589422_614397325621181618_n 11822705_1030960820256079_7745031637066193848_n

PCI-DSS and Vulnerability Management

Last August 1, 2015, I presented about a known security standard for credit cards. The Payment Card Industry Data Security Standard (PCI-DSS) is a standard used to protect data of merchants and banks that utilize the credit card facility.

There are 12 requirements of PCI-DSS. I focused my presentation on the vulnerability management side since I handled the vulnerability assessment (VA) in my previous work.

For the demo, I used the trial version of Acunetix vulnerability scanner. I used the test website to and verified 1 of the vulnerabilities (sending data in cleartext) and exploiting it by using Wireshark.

My presentation can be found here: PCI_MSORMAN.

Detecting Command and Control Traffic Using Botnet Correlator Module

Last June 8, 2015, I presented a paper entitled “Detecting Command and Control Traffic Using Botnet Correlator Module” in Kuala Lumpur, Malaysia. The paper was a product of a project in APC together with my students in INFOSEC. The trip was entirely sponsored by the school (thank you so much!) and the experience was very unforgettable.

Going to Kuala Lumpur

I rode a Cebu Pacific plane going to Malaysia last Jun 7 in NAIA Terminal 3. As usual, the airport was jampacked with people. The flight was around 4 hours long and arrived at the KLIA2. I then rode an express train (20-minute train) going to the downtown KL.

I met my former officemate in the Philippines who is already working in KL. He toured me around KL (Petronas, Jalon Alor) and brought me to the hotel, Melia Hotel.

With Ashley Dy in front of the Petronas Towers (thanks Alfred for the picture)

Conference Day

It’s a good thing that the school booked in the hotel where the conference will be held. The parallel sessions started at 8am. It was my first time to present in an international conference and I was very nervous. The presenters were mostly Muslims coming from Malaysia, Indonesia, India other neighboring countries. The participants were very friendly and excited too. I met 2 other professors from the Philippines, Terry from UP-Diliman and Marylene from MUST in Mindanao.

With Terry from UP-Diliman (leftmost ) and Ederlyn from MUST (2nd from the right) after the presentation.
With Terry from UP-Diliman (leftmost ) and Ederlyn from MUST (2nd from the right) after the presentation.

I attended and listened to the keynote presentation of Dr. Rozhan Mohammed Idrus who discussed about “IT Education and Its Impact to the Society.” He coined the term, “technogogy” which means blending in of technology to the teaching pedagogy. In essence, Dr. Idrus pointed out that teachers and the curriculum must be able to adapt with the technological advances in today’s world.

My presentation was scheduled in the afternoon. The paper is an applied research on how to detect Botnet traffic in a Local Area Network (LAN) using Snort and aggregated reputable Botnet sources.

The presentation lasted for 10 minutes. The PDF presentation can be found in this link: BCM_Presentation.

11251047_1002485706436924_4995811343764475449_n 10622713_1002485633103598_4000319264568441150_n 11427220_1002485729770255_498091567338954458_n

I went to fetch my girl friend in Pavillion Mall and ate dinner there. We rode Uber going to another mall outside KL called Publika.

Last day in KL, walking around the city

Our third and last day in Malaysia was spent in touring around the city by foot. We went to Mydin, where wholesale products are sold. We bought a lot of Cadburry and other chocolates.The place was not very classy thought. We walked to Low Yat, a technology/gadgets mall. We then walked to the KLCC area and visited Kinokuniya. We checked out then rode Uber to the train station going to KLIA2.

Uber ride to Ritz Carlton
Uber ride to Ritz Carlton

Over-all experience

I heard a lot of negative stories in Malaysia (dangerous at night, a lot of street clubs, ill-mannered taxi drivers, snatchers riding motorcycles etc.) but I haven’t experienced those stories. Maybe they have already changed? Or I’m just used to living with a similar environment in the Philippines? I don’t know. The experience was great. Their express train is very convenient and spacious. The establishments offer items both expensive and cheap depending on your budget.

Infosec books at Kinokuniya
Infosec books at Kinokuniya

Since I did not want to experience the horror stories in the taxi, I always used Uber for the transpo around the area. Malaysia has more Uber cars compared to the Philippines.

In terms of value for money, I can say your money has a big value in their country.



By Justin Pineda

This article is created to serve as an introduction to basic networking concepts. This involves some discussion about the Internet, network devices, how it works and the like. We will also talk about some technical concepts for us to better understand the networking process (i.e. how a data is transmitted over the network).



In today’s world, the Internet plays a vital role in communication. Everything became easier because of the Internet. Distance is not a barrier anymore. Before the arrival of Internet, the popular mode of communication to far places requires time, like when sending a mail for example. Now, it’s just a click away through e-mail. We can also talk to our friends real-time through Instant Messenger (IM). Now, do you know how data is transmitted to your friend when you chat?

A normal flow of communication contains a sender, a receiver and a channel. This also applies to a network. But of course, aside from the humans, devices also play its role. When you chat for example, the data is translated into a series of numbers which we call binary numbers (1 & 0) to be understood by the computer and to be able to send it to its proper channel. There is a process of converting these messages to binary numbers through layers and network protocols.

Elements of a Network


As mentioned, the communication process for computer networking remains the same. What we need to understand now are things that make up the communication for computer networking. There are four elements:

1.                  Rules

Like when sending a snail mail to a friend, there are procedures on how to successfully send it. This includes putting it in an envelope, writing the address both of the sender and receiver of the mail at the back of the envelope and putting stamps. This is same with networking where rules, which are technically termed as protocols, define how the data is sent.

2.                  Message

Message is the actual data itself. It is the file that you have sent through email. It is the video you are waiting to view in You Tube. This is the message in the letter you sent. This is self-explanatory.

3.                  Medium

The medium is the element that says in what way the message is sent. For example in networking, for a typical Local Area Network (LAN), standard workstations are connected through a cable (a straight cable to be exact) while other laptops/net books connect via Wi-Fi (Wireless Fidelity).

4.                  Device

Of course, the device is an essential element as well. Different devices have their own role. Computers are used by the end users and these are connected to a switch and data are transmitted by a router to another.

These elements comprise the network. We will take a look at each element and give more details to each one of them.

Network Architecture

If you are tasked to create a network, what will your basis be? Will you just buy workstations and connect them in a switch? There are concepts you need to consider in order to build a good network. You need to design your network based on the following key factors:

1.                  Fault Tolerance

In creating a network, you shouldn’t think of an ideal scenario where everything is all right. You have to think of possible problems which your network might encounter. For example, you put all your workstations connected in one switch. You find it very easy to do, setup and configure. But what happens if the switch goes down? Then your network will go down as well. Fault tolerance refers to the capability of the network to withstand forms of interruptions of its service. So most cases, there are back up servers, generators and network planned topologies in order to cater this particular concern.

2.                  Scalability

So you have created the fault tolerant network that is good for the users in it. But is your network ready for a dynamic environment? Have you considered that the network may grow and will require more space, bandwidth etc? Scalability refers to the capability of the network to adjust in changes in the components of the network, may it be the number of users or devices.

3.                  Security

When you design your network, considerations must be made in order to group workstations based on security importance. What is security in this context? Security refers to giving access that is only needed by a particular type of user. For example, company reference materials should only be available within the company’s network. External users should not be able to access these files. These particular privileges of access should be determined in the network design. The example I gave is what we call Intranet, which means access only “inside” the local network. You have to consider which part of the network should be given Admin access, User access and Guest access.

4.                  Quality of Service (QoS)

The demands for network bandwidth vary from the type of work that people have. Which is more likely to consume more network bandwidth, the cashier or the web developer? You need to give priority over the ones who need more. In the field like IT Security, Security Analysts like me need more bandwidth because we are all connected to the Internet and all our work relies on having good network connection access.

Network Communication

So let’s say that you try to send an e-mail through The first thing you do is to type the Uniform Resource Locator (URL) of the website which is – The URL is equivalent to an Internet Protocol (IP) address which is represented by numbers. We have URL’s so that we don’t need to remember numerical forms of addresses. Instead, we just type it based on the name that we associate with it like “mail” and “yahoo.” A particular protocol which is the Domain Name System (DNS) resolves the URL to its corresponding IP address. So think of the IP address a Website ID and the URL as the Website name.

The image above shows how the personal workstation travels going to with IP address –

I just showed you how data travels to the domain Yahoo. Anyway, when the website appears in a web browser like the Internet Explorer or Mozilla Firefox, the data from the Yahoo site goes to your network and displays it. So from data understandable by the user, it goes through different layers which translate this data understandable by machines that can travel through different media (such as cables, atmosphere etc). A reference model is used for protocol classification per layer. We call it the Open Systems Interconnection (OSI) model. The OSI model has 7 layers which defined to sort of give us an understanding of how data is transmitted and retransmitted.

So going back to the Yahoo mail site, the user interface that we see in the web browser is in the Application Layer of the OSI model. This is the topmost layer of the OSI model. This is quite easy to understand since the Application Layer gives interface of the data to the user. For this example, the protocol used is Hyper Text Transfer Protocol (HTTP). HTTP is a protocol used to be able to browse web pages. There are a lot of Application Layer protocols aside from HTTP.

The next layer is the Presentation Layer. Its main responsibility is to do compression/decompression, coding, conversion and encryption/decryption. For example, when you load an HTTP, when we try to save images, there’s a default “Save As” to type of image which the site dictated what it should be like .jpg, .gif etc. Same is true with video types and media files. Sometimes for proprietary sites they have their own extensions.

After the data is compressed, converted and coded, it checks the status of the data and connection. Did the data go to the correct destination? Is the connection active or not? Is the device idle or has been receiving information?

Let’s now go to the next layer called the Transport Layer. This layer is responsible for determining the kind of services the client/server are running and directing this particular service to the right port. For example, when you visit the site, you go to a particular IP address This particular domain might be running different services. Like for example, if you open its site through HTTP, it actually connecting to Yahoo’s domain through port 80. If you are trying to send an e-mail through Yahoo mail, a connection is made through port 25 which is Simple Mail Transfer Protocol (SMTP).

There are two popular protocols under the Transport Layer- User Datagram Protocol (UDP) and the Transmission Control Protocol (TCP). The former is connectionless while the other is connection-based. There are services that are considered very essential to have an established first to make that the communication of data is received successfully. The three way handshake is a process used by TCP to ensure that connection is established before transmitting data. For example, in SMTP, the sure way to send an e-mail is to established a connection between the client and the server. Otherwise, we are not sure whether the data is sent properly or not.

Basically, we learned how services are connected through ports. But before we’re able to send the data to the right service, we have to send the data to the right network. This what makes the IP address necessary. This next protocol is called the Network Protocol. An IP address can be private or public. A private IP is an address given by a router used for local network. These include IP families from 192.168.x.x, 172.x.x.x and 10.x.x.x. Any IP addresses under those mentioned families are considered to be private. Public IP’s are numbers otherwise and doesn’t exceed There are other conditions though. But for simplicity sake, public IP’s are those that host a site for a particular organization.

Each Local Area Network (LAN) has a gateway. When a particular host tries to send a data to another IP, it first checks whether the said destination IP is found within the network. If it finds it, then it is send directly to it. However for most cases, the destination is outside the LAN. Now, a target IP that is not found on the LAN is directly sent to the default gateway. This gateway passes the data to other routes in order to find the right destination. The router has three processes: forward the packet to the next route, deliver the packet to the destination or drop the packet. There are mechanisms through routing protocols used on how to determine best paths for data routing.

Attack of the Day: The FTP Bounce Attack

I encountered an IDS signature stating that a user accessed an FTP site but a possible FTP Bounce Attack might occur. Why is that so?

The severity of this attack is high because it indicates potential port scanning activities as well as bypassing basic packet filtering services and export restrictions through FTP. (Fortiguard, 2006)

How does FTP Bounce Attack work? In order for an FTP connection to occur, the client tries to connect to FTP through port 21. Another data connection is made between the two so that when the client wants to download something from the server, the latter can send the data back. To do this, through the ‘PORT’ command, the client sends its IP address and an arbitrary port that is free to establish a successful connection

Now the attack commences in the ‘PORT’ command because the attacker can alter and send another IP address and port to the FTP server.

With the ‘PORT’ command the attacker can do a port scan to another host in the Internet through a third party FTP server or even bypass filtering devices. (Telindus, 2003)

What can we do to prevent this attack from happening? If the root cause is the ‘PORT’ command, then the solution is to limit the functionality of the ‘PORT’ command to its purpose of sending its legitimate IP address and port number.

A package called the wu-ftpd addresses the FTP bounce problem by ensuring that the ‘PORT’ command won’t be used to make connections to machines other than the original client.(CERT, 1997)

Creating a Device Normalizer

Device Normalizer Paper – ACM-formatted journal


Today, I will try to share my research and implementation of one of the modules of our undergraduate thesis, the Adaptable Software-based Log Consolidation and Incident Management (AdLCIM), called the Log Normalizer Module. This module is very important for standardization of logs gathered for network monitoring.   The module is adaptable to other projects that need normalization or topics related to that.

Some prerequisites

There are some lessons required to learn to be able to understand this article although level of knowledge doesn’t have to be very advanced. These include: object oriented programming,  basic syntax in C#, dynamic loading. In order to follow the article per se, C# should be installed in a Windows platform.

Brief background re AdLCIM

Our thesis AdLCIM is basically a networking monitoring tool that accepts logs coming from different network devices in a LAN. The system collects the logs and analyzes them. But before the logs are analyzed, the logs must be put in a standardized form. Although the logs that are sent to the system have a format (Syslog format thru RFC 3164), the message still differs from one device to another due to device type or proprietary differences. This makes the role of the Log Normalizer Module very essential. If the system can standardize the log collected in a way that the user can easily understand then it will be very helpful to monitor the whole network. And since the system is adaptable to new devices, the system can be useful in future deployments/updates/versions by just creating new normalizers. To cut the story short, the standardized logs are summarized and correlated. The logs are classified as normal, attack or alerts logs. The attack logs are handled by an incident manager while alert logs are given recommendations to be resolved.

Building Device Normalizers

The research paper we made regarding the normalization of logs can be seen before the start of this article although it’s very boring to read. I just put it for reference. Anyway, a very important characteristic of the AdLCIM is that it is adaptable to new devices. This means that it should also be adaptable to standardization of new devices. But of course, handling new devices should not require the system to be rebuilt again for the sake of the new device. The program for the new device should be the only one compiled so it can connect to the system. To solve the issue, the use of dynamic loading is necessary. In this sense, dynamic loading is the ability to run a program together with a newly deployed program (connected together) without recompiling the original system.

In the Visual C# environment, some necessary configurations must be done in order to invoke dynamic loading. Here are some necessary codes:

using System.Reflection;

public static Object FindNormalizer(string AssemblyName,
string ClassName, string MethodName, Object[] args)

// Load Assembly
Assembly assembly = Assembly.LoadFrom(AssemblyName);

// Get Class
foreach (Type type in assembly.GetTypes())
if (type.IsClass == true)
if (type.FullName.EndsWith(“.” + ClassName))
// Activate Class
object ClassObj = Activator.CreateInstance(type);

// Dynamically Invoke the method
object Result = type.InvokeMember(MethodName,
BindingFlags.Default | BindingFlags.InvokeMethod,
return (Result);
throw (new System.Exception(“Could not invoke method”));

The code shown above is the code use to invoke dynamic loading. In the first line you will see the library used so that assemblies can be called- System.Reflection. This library is capable of invoking and manipulating dynamically linked classes although we won’t be digging deeper on its other functionalities but its more or less its major function.

The FindNormalizer method has 4 parameters: Assembly name, Class name, Method and Parameters. This is a very easy to analyze since any source code has a file name (Assembly name), class, method and parameters. These are the main considerations that you have supply in order to invoke something dynamically. Once it is supplied with the necessary contents, the dynamically loaded program will be run when the method FindNormalizer is called with its fields filled.

Classifying Normalizer Type

When the AdLCIM is run, it accepts logs from network devices but from recognized ones. Meaning if a device tries to send logs but it is not recognized in the database then no log is recorded. A recognized device is a device given with proper identification such as a hostname, device type, device specification and device details. An example can be the laptop I’m using right now. Its hostname is Plato-DaAcademy, device type is COMPUTER, device specification is WINDOWS and device detail is 7. This process is required to other devices to be able to have its logs recorded to the database.

The importance of identifying devices is for you to know what devices you’re monitoring. Getting logs from unrecognized devices may bring confusion to log analysis. Thus, if there’s no device identification then all devices can just send logs though not necessary for monitoring. Another reason is for normalization process. It will be explained in the next paragraph.

As seen in the first code above, the FindNormalizer method has 4 parameters. The first parameter is the assembly name or the file name of the normalizer to be opened. The assembly name is classified based on the device type and device specification of the hostname that wants to send a log. So for example, the hostname Plato-DaAcademy (from previous example) tries to send a log. The system will look for the device type and device specification of Plato-DaAcademy and after that, its assembly name can be classified. For this example the device type and device specification are COMPUTER and WINDOWS. Therefore the assembly name that will be opened is “COMPUTER_WINDOWS_NORMALIZER.dll.”

The second parameter is the class name, which is the same as the format for the assembly name. Therefore the class name for the previous example is still COMPUTER_WINDOWS.  The third parameter is the method which in the system it is standardize as “Normalize.” All devices have a method “Normalize” which literally normalizes a log based on the standard imposed on them. The fourth parameter is the parameter of the method which is an object because there can be multiple parameters of different data types.

Below is a normalizer for an Intrusion Detection System called Snort.

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using LogNormalizer;

namespace LogNormalizer
class IDS_SNORT_NORMALIZER : SuperNormalizer

static string searchNormalizeAttack(string attackMessage)
int bCheck = 0;
string readLine, attackNotFound = “OTHERS”;
int checkComma, checkCompare;
string checkOriginal, normalizedAttackMessage;
StreamReader sr = new StreamReader(“c:\\AdLCIM_SnortNormalizedAttacks.txt”);
while (bCheck == 0)
readLine = sr.ReadLine();
checkComma = readLine.IndexOf(‘,’);
checkOriginal = readLine.Substring(0, checkComma);
checkCompare = String.Compare(attackMessage, checkOriginal);
if (checkCompare == 0)
normalizedAttackMessage = readLine.Remove(0, checkComma + 2);
bCheck = 1;
return normalizedAttackMessage;
else if (sr.EndOfStream)
bCheck = 1;
return attackNotFound;

return attackNotFound;

public static string parseSyslog(string SnortMessage)
string normalizedSnortMessage;
string getNormalizeAttackNow;
int result, result2, result3, result4, result5, result6, result7, result8, result9;
string message, message2, message3, message4, message5, message6;
string attackMessage, protocol, srcIP, srcPort, destIP, destPort;
string returnMe = “OTHERS”;

result = SnortMessage.IndexOf(‘]’);
// Console.WriteLine(result);
message = SnortMessage.Remove(0, result);
result2 = message.IndexOf(‘ ‘);
message2 = message.Remove(0, result2 + 1);
result3 = message2.IndexOf(‘[‘);
attackMessage = message2.Substring(0, result3);
attackMessage = attackMessage.Substring(0, attackMessage.Length – 1);
// Console.WriteLine(message2);
result9 = message2.IndexOf(‘{‘);
message3 = message2.Remove(0, result9);
result4 = message3.IndexOf(‘}’);
protocol = message3.Substring(1, result4 – 1);

if (protocol == “TCP” || protocol == “UDP”)

message4 = message3.Remove(0, result4 + 2);
result5 = message4.IndexOf(‘:’);
srcIP = message4.Substring(0, result5);
message5 = message4.Remove(0, result5);
result6 = message5.IndexOf(‘ ‘);
result7 = message5.IndexOf(‘>’);
srcPort = message5.Substring(1, result6 – 1);
message6 = message5.Remove(0, result7 + 2);
result8 = message6.IndexOf(‘:’);
destIP = message6.Substring(0, result8);
destPort = message6.Remove(0, result8 + 1);
getNormalizeAttackNow = searchNormalizeAttack(attackMessage);
normalizedSnortMessage = getNormalizeAttackNow + “, ” + protocol + “, ” + srcIP + “, ” + srcPort + “, ” + destIP + “, ” + destPort;
Console.WriteLine(“Attack found: ” + normalizedSnortMessage);

EventSnipe(destIP, destPort);
return normalizedSnortMessage;
else if (protocol == “ICMP”)
message4 = message3.Remove(0, result4 + 2);
result5 = message4.IndexOf(‘-‘);
srcIP = message4.Substring(0, result5 – 1);
result6 = message4.IndexOf(‘>’);
destIP = message4.Remove(0, result6 + 2);
getNormalizeAttackNow = searchNormalizeAttack(attackMessage);
normalizedSnortMessage = getNormalizeAttackNow + “, ” + protocol + “, ” + srcIP + “, X, ” + destIP + “, X”;
return normalizedSnortMessage;
return SnortMessage;
catch (Exception er)
Console.WriteLine(“Cannot parse logs. ” + er.Message);
return SnortMessage;

public static void Normalize(DateTime timestamp, string hostname, int facility, int severity, string message)
string DeviceType;
string DeviceSpec;
string Facility;
string Severity;
string Message;
string Impact;
string Priority;
string ParseMessage;

Console.WriteLine(“\nNormalizing Syslog Message now…”);
Facility = getFacility(facility);
Severity = getSeverity(severity);
Priority = getPriority(facility, severity);

Impact = getImpact(facility, severity);
DeviceType = GetDeviceTypeFromHostname(hostname);
DeviceSpec = GetDeviceSpecFromHostname(hostname);
ParseMessage = parseSyslog(message);

Console.WriteLine(“\nLog successfully normalized. Sending to consolidator…”);
checkNormalizedMessageIfAlreadyExists(timestamp, hostname, DeviceType, DeviceSpec, Facility, Severity, ParseMessage, Priority);



The second code you see is a normalizer for a device with a device type IDS and device specification SNORT. The program is dynamically invoked once a hostname with a type IDS and specification SNORT tries to send a log.  The Normalize method has 5 parameters which will all be used for normalization. The ParseSyslog method is responsible for fixing the logs into a standardized format. The searchNormalizeAttack method on the other hand has a text file where in all possible attacks are seen and its standardized naming convention is found. An example log coming from a SNORT IDS is:

snort: [1:100000:0] THE BACKDOOR TINI HAS BEEN DETECTED [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} ->

After passing through the IDS_SNORT_NORMALIZER.dll, the log becomes:

TINI, TCP,, 1050,, 7777

The log is now standardized into a format with- Attack Name, Protocol Type, Src IP, Src Port, Dest IP, Dest Port. This is the standardized log format for all IDS may it be SNORT or other IDS. So for instance, there’s a new IDS called “YATCO IDS” and it has different format, then an IDS_YATCO_NORMALIZER.dll must be created in order to make the log look like the standardized log. For other device types, there are different standardization methods made so it’s up to the administrator to follow it.

I hope this article is able to help you understand how to create a device normalizer and more importantly, make you realize how important it is to normalize logs. And of course, dynamically load assemblies without recompiling the whole program.

namespace AdLCIM.Logic
public class SuperNormalizer

public static string GetNormalizerType(string hostname)
string sqlCommand1=”SELECT devicetype from identified_device where hostname='”+hostname+”‘”;
string sqlCommand2=”SELECT devicespec from identified_device where hostname='” + hostname + “‘”;
string devicetype, devicespec;
devicetype = AdLCIM.Data.DataAccess.GetValueFromDatabase(sqlCommand1, “devicetype”);
devicespec = AdLCIM.Data.DataAccess.GetValueFromDatabase(sqlCommand2, “devicespec”);
Console.WriteLine(“Normalizer:” + devicetype + “_” + devicespec + “_” + “NORMALIZER”);
return devicetype + “_” + devicespec + “_” + “NORMALIZER”;
public static Object FindNormalizer(string AssemblyName,
string ClassName, string MethodName, Object[] args)

// Load Assembly
Assembly assembly = Assembly.LoadFrom(AssemblyName);

// Get Class
foreach (Type type in assembly.GetTypes())
if (type.IsClass == true)
if (type.FullName.EndsWith(“.” + ClassName))
// Activate Class
object ClassObj = Activator.CreateInstance(type);

// Dynamically Invoke the method
object Result = type.InvokeMember(MethodName,
BindingFlags.Default | BindingFlags.InvokeMethod,
return (Result);
throw (new System.Exception(“Could not invoke method”));

} // END OF CLASS: public class SuperNormalizer