Chris,

I owe you an apology for taking so long to get back to you on your dissertation. I was postponing it until I had several free hours to read through it. I realize now, after reading much of it, that I could have given you most of this reply after a half-hour or so of study. The size was daunting, and I didn't realize that I could skip most of it and still identify the problems. 

Basically, what I'll explain in this message is that you have a dissertation lurking in what you wrote, but it will require extensive effort (or perhaps starting anew) to get it into the proper form. What you have done is write a popular press book, or perhaps a briefing document -- it isn't a PhD dissertation. I can now understand Dr. Hoffman's disapproval of the document. I hope I can help you understand what to do to turn it into something more appropriate.

The following may seem unduly negative -- I don't mean to sound that way. I think you have the potential to get something together of value, and I'm hoping my comments help you to do that. Just don't get discouraged about it!


Let me start by reviewing some things that may seem obvious: 
1) Your dissertation is *part* of the requirements for a PhD. 
The research, theory, experimentation, et. al. also contribute. One does not attempt to capture everything into one's dissertation.
2) The dissertation is a technical work used to document and 
set forth proof for one's thesis. It is intended for a technical audience, and it must be very clear and complete, but not necessarily comprehensive. Also note -- experimental data, if used, is not the proof -- it is evidence. The proof is presented as analysis and critical presentation.
3) The dissertation is not the thesis. One's thesis is a *claim* -- 
a hypothesis. The dissertation describes, in detail, how one proves the hypothesis (or, rarely, disproves the claim and shows other important results).

What you have written does not appropriately address these three points. To wit:
1) Your dissertation includes material on unrelated topics, & 
includes discussion on tangental and non-technical points. 2) Your document includes way too much background and explanatory 
detail, includes some discussion that cannot be defended on purely technical grounds, and fails to prove your thesis (but see #3). As a general rule, every statement in your dissertation must be common knowledge, supported by citation to technical literature, or else original results proved by the candidate (you). 3) I thought I understood what your thesis (claim) was after your 
defense, but after reading what you have written, I am no longer certain what it is you are claiming. It is thus impossible to decide if you have proved it!


Rather than point out problems and objections with what you *have* written, let me go through the exercise of telling you what you *should* do to complete a dissertation. You need to decide if you can edit your current document to achieve this, or if you need to start from scratch. Of course, you need to discuss this some with Lance, but I think he will agree with most of my comments. 

Let's revisit the idea of the thesis itself. It is a hypothesis, a conjecture, a theorem. The dissertation is a formal, stylized document used to argue your thesis. The thesis must be significant, original (no one has yet demonstrated it to be true), and it must extend the state of *scientific* knowledge. 

The first thing you need to do is to come up with *no more than two* sentences that express your thesis. Your committee must agree that this is a valid thesis statement. (I could suggest one, but you need to do this yourself -- I'll be happy to comment on whatever you care to send me.) You too must be happy with the statement -- it should be what you will tell anyone if they ask you what your thesis is (few people will want to hear an hour presentation as a response). 

Once you have a statement of thesis, you can begin to develop the dissertation. The abstract, for instance, should be a one-page description of your thesis and how you present the proof of it. (The abstract should not mention the related work section as yours does.) Instead, the abstract should summarize the results of the thesis and should stress the contributions to science made thereof. 

Perhaps the best way to understand how an abstract should look would be to examine the abstracts of several dozen dissertations that have already been accepted. I'm sure the GWU library has a collection of them. I might also suggest this as a good way to see how an entire dissertation is structures and presented. MIT press published the ACM doctoral dissertation award series for several years, so you may find some of those be be good examples to read -- they should be in any large technical library.

The dissertation itself should be structured into 4 or 5 chapters (I'll speak to your topic, specifically): 

I. Introduction. Cover an introduction to the basic terminology, 
give citations to appropriate background work, briefly discuss related work that has already covered aspects of the problem. II. Abstract model. Discuss an abstract model of what you are 
trying to prove. This chapter should not discuss any specific implementation (see below)
III.Validation of model/proof of theorems. This is a chapter 
showing a proof of the model. In your case, this would be one or more experiments with a wireless LAN showing how malicious software can enter and spread.
IV. Additional results. In your case, this would probably be 
countermeasures and resistance features. V. Conclusions and future work.


Let's examine what you have and what you need to do. 

Chapter I, Introduction. Here, you should clearly state the thesis and its importance. This is also where you give definitions of terms and other concepts used elsewhere. There is *no* need to write 80 pages of background on computer viruses and malicious software here. Instead, you can cover almost everything by saying: "The terminology used in this work matches the definitions given in [citation, citation] unless noted otherwise." Then, cite some appropriate works that give the definitions you need. The progress of science is that we learn and use the work of others (with appropriate credit). Assume you have a technically literate readership familiar with (or able to find) common references. Do *not* reference your book if you can help it (this is a matter of style more than anything else -- you want to reference articles in refereed conferences and journals, if possible, or in other theses).

Also in the introduction, you want to survey any related work that attempted something like your thesis, or that takes on a vital role in your research. This should refer only to published references. You cite the work in the references, not the researchers themselves. E.g., "The experiments described in [citation] explored the foo and bar conditions, but did not discuss the further problem of baz, the central point of our work." This is opposed to some of your discussion that sometimes reads like this: "Cohen, Radai and Bontchev all have described this important point." *Every* factual statement you make must have a *specific* citation tied to it in this chapter, or else it must be common knowledge (don't rely on this too much). 

Chapter II. Abstract Model. Your results are to be of lasting value. Thus, the model you develop and write about (and indeed, that you defend) should be one that has lasting value. Thus, you should discuss a model that is not based on DOS, Ethernet, PCMIA, or any other specific technology. Neither should it discuss any specific viruses, boot sectors, or other specifics. It should be generic in nature, and should capture all the details necessary to overlay the model on likely environments. You should discuss the problems, parameters, requirements, necessary and sufficient conditions, and other factors here. I didn't really see this in your current draft anywhere.

This model is tough to construct, but is really the heart of the scientific part of your work. This is the lasting part of the contribution, and this is what someone might cite 50 years from now when we are all using Windows NT/5 on wrist-computers with subspace network links. :-)

Chapter III. Experimental Proof. There are basically three proof techniques that can be used in a computing dissertation, depending on the thesis form. The first is analytic, where one takes the model or formulae and shows, using formal manipulations, that the model is sound and complete. A second proof method is stochastic, using some form of statistical methods and measurements to show that something is true in the anticipated cases.

Your thesis is not going to be something that is appropriate for either of these two methods. Instead, you need to show that your thesis is true by building something according to your model and showing that it behaves as you claim it will. This involves clearly showing how your implementation model matches the conditions of your abstract model, describing all the variables and why you set them as you do, accounting for confounding factors, and showing the results. 

What you have written in the draft spends too much time describing how standard protocols and hardware work (use citations to the literature, instead). What you don't do is clearly express the mapping of model to experiment, and the definition of parameters used and measured. 

Chapter IV. Other results. This may be folded into Chapter III in some theses, or it may be multiple chapters in a thesis with many parts (as in a theory-based thesis). In your case, this is probably where you will want to discuss countermeasures. This may also be where you will discuss the effects of technology change on your results. I'm not entirely sure all of what you will put in here -- this will be based a great deal on the statement of your thesis. 

NB. I am making a big assumption here by suggesting that "countermeasures" is under "other results" rather than the topic of chapters II and III. I am assuming from your current drafts that countermeasures are not the central thesis to your dissertation, but that may not be the case once you rethink things. 

Chapter V. Conclusions and Future work. This is where you discuss what you found from your work, incidental ideas and results that were not central to your thesis but of value nonetheless, and other results. This chapter should summarize all the important results of the dissertation --- note that this is the only chapter many people will ever read, so it should convey all the important results. 

This is also where you should outline some possible future work that can be done in the area. What are some open problems? What are some new problems? What are some significant variations open to future inquiry?

Appendices. Appendices usually are present to hold mundane details that are not published elsewhere, but which are critical to the development of your dissertation. This includes tables of measurement results, configuration details of experimental testbeds, limited source code listings of critical routines or algorithms, etc. It is *not* appropriate to include lists of readings by topic, intrusion detection systems, or the things you have in your draft. 


Here are some more general hints to keep in mind as you write/edit: 

* adverbs should generally not be used -- instead, use something 
precise. For example, to say that something "happens quickly." How quick is quickly? Is it relative to CPU speeds? Network speeds? Does it depend on connectivity, configuration, programming language, OS release, etc? What is the standard deviation?
* as per the above, use of the words "fast", "slow", "perfect", 
"soon", "ideal", "lots of" and related should all be avoided. So should "clearly", "obviously", "simple", "like", "few", "most", "large", et. al.
* What you are writing is scientific fact. Judgements of 
aesthetics, ethics, personal preference, etc should be in the conclusions chapter if they should be anywhere at all. With that in mind, avoid use of words like "good", "bad", "best", and any similar discussion. (In particular, your discussion of ethics and using viruses is interesting, but out of place anywhere but the conclusions; I'm not sure they should be used there.) * Avoid mention of time and environment. "Today's computers" are 
antiques far sooner than you think. Your thesis should be fresh and still true many years from now.
* Be sure that something you claim as a proof would be recognized 
as such by any scientist or mathematician. * Focus on the results and not the methodology. Methodology 
should be clearly described, but not the central topic of your discussion in chapters III & IV
* Keep concepts and instances separate. An algorithm is not the 
same as a program that implements it. A protocol is not the same as the realization of it, etc.


If I had to take a wild guess, I would say that your dissertation should all fit within about 120 pages. Anything more than 20% larger is probably inappropriate.



So, with all that commentary, what can I advise you to do? 

Let me start by observing some of your strong points: 
1) you really know your material
2) your prose is reasonably good, (although it is more 
colloquial than scientific)
3) you have some strong experimental results 4) you are motivated to finish

I think that trying to edit your current draft down into a workable dissertation is going to be much more difficult than starting from scratch and reusing some small parts in appropriate places. 

Start by getting a one or two sentence summary of your thesis in place. Get your committee to sign off on it. Then tape it above your terminal, and for every sentence you write ask yourself "Is this sentence necessary to prove that thesis?" 

After you get the thesis statement done, write your first draft of your abstract. Again, run that by your committee. Then, write your conclusions chapter and see how we react to that. The rest will be much simpler to write if you know exactly what you need to support. 

The situation is that you have become the world's expert on this area of computer malware, and you want to tell us all about it. However, this is not the place to do a core dump. Instead, tell us, in depth, about this one narrow topic you have chosen as your thesis. The other material can be told to us all in other forums. 

That is why writing the abstract, and then the conclusions, is a good way to help structure the thesis. It identifys exactly what you need to support in the dissertation -- and no more. 

If I can be of any further assistance in this, please let me know. I really believe you can do it. It is going to take a real effort on your part to restrain your natural impulses to explain all the details and write for a general audience. A dissertation is not the place to do that -- it requires learning a whole new way of writing. Of course, that same way is really the way that scientific articles should be written, too, should you choose to write any, so it is important you learn how to do it.

Regards,
--spaf