A Comparison Of The Resource Requirements Of Snort And Bro In Production Networks
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430040 , vital:72661 , https://www.iadisportal.org/applied-computing-2009-proceedings
- Description: Intrusion Detection is essential in modern networking. However, with the increas-ing load on modern networks, the resource requirements of NIDS are significant. This paper explores and compares the requirements of Snort and Bro, and finds that Snort is more efficient at processing network traffic than Bro. It also finds that both systems are capable of analysing current network loads on commodity hardware, but may be unable to do so for higher bandwidth networks. This is ben-eficial in a South African context due to the increasing international bandwidth that will come online with the launch of the SEACOM Cable, and local projects such as SANREN.
- Full Text:
- Date Issued: 2009
A Framework for the Rapid Development of Anomaly Detection Algorithms in Network Intrusion Detection Systems
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428644 , vital:72526 , https://www.researchgate.net/profile/Johan-Van-Niekerk-2/publication/220803295_E-mail_Security_awareness_at_Nelson_Mandela_Metropolitan_University_Registrar's_Division/links/0deec51909304b0ed8000000/E-mail-Security-awareness-at-Nelson-Mandela-Metropolitan-University-Registrars-Division.pdf#page=289
- Description: Most current Network Intrusion Detection Systems (NIDS) perform de-tection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the sys-tem to deploy new algorithms.
- Full Text:
- Date Issued: 2009
An analysis of logical network distance on observed packet counts for network telescope data
- Authors: Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428090 , vital:72485 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228765119_An_Analysis_of_Logical_Network_Distance_on_Observed_Packet_Counts_for_Network_Telescope_Data/links/53e9c5e80cf28f342f414988/An-Analysis-of-Logical-Network-Distance-on-Observed-Packet-Counts-for-Network-Telescope-Data.pdf
- Description: This paper investigates the relationship between the logical distance between two IP addresses on the Internet, and the number of packets captured by a network telescope listening on a network containing one of the addresses. The need for the computation of a manageable measure of quantification of this distance is presented, as an alterna-tive to the raw difference that can be computed between two addresses using their Integer representations. A number of graphical analysis tools and techniques are presented to aid in this analysis. Findings are pre-sented based on a long baseline data set collected at Rhodes Universi-ty over the last three years, using a dedicated Class C (256 IP address) sensor network, and comprising 19 million packets. Of this total, 27% by packet volume originate within the same natural class A network as the telescope, and as such can be seen to be logically close to the collector network.
- Full Text:
- Date Issued: 2009
Automated Firewall Rule Set Generation Through Passive Traffic Inspection
- Authors: Pranschke, Georg-Christian , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428659 , vital:72527 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: Introducing rewalls and other choke point controls in existing networks is often problematic, because in the majority of cases there is already production tra c in place that cannot be interrupted. This often necessitates the time consuming manual analysis of network tra c in order to ensure that when a new system is installed, there is no disruption to legitimate ows. To improve upon this situation it is proposed that a system facilitating network tra c analysis and rewall rule set generation is developed.
- Full Text:
- Date Issued: 2009
Management, Processing and Analysis of Cryptographic Network Protocols
- Authors: Cowie, Bradley , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428687 , vital:72529 , https://d1wqtxts1xzle7.cloudfront.net/30968790/ISSA2009Proceedings-libre.pdf?1393060231=andresponse-content-disposi-tion=inline%3B+filename%3DAN_ANALYSIS_OF_AUTHENTICATION_FOR_PASSIV.pdfandExpires=1714732172andSignature=Ei8RhR2pCSUNGCNE40DugEyFamcyTxPuuRq9gslD~WGlNqPEgG3FL7VFRQCKXhZBWyAfGRjMtBmNDJ7Sjsgex12WxW9Fj8XdpB7Bfz23FuLc-t2YRM-2joKOHJQLxWJlfZiOzxDvVGZeM3zCHj~f3NUeY1~n6PtVtLzNdL8glIg5dzDTTIE6ms2YlxmnO6JvlzQwOWdHaUbHsZzMGOV19UPtBk-UJzHSq3NRyPe4-XNZQLNK-mEEcMGsLk6nkyXIsW2QJ7gtKW1nNkr6EMkAGSOnDai~pSqzb2imspMnlPRigAPPISrNHO79rP51H9bu1WvbRZv1KVkGvM~sRmfl28A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA#page=499
- Description: The use of cryptographic protocols as a means to provide security to web servers and services at the transport layer, by providing both en-cryption and authentication to data transfer, has become increasingly popular. However, we note that it is rather difficult to perform legitimate analysis, intrusion detection and debugging on cryptographic protocols, as the data that passes through is encrypted. In this paper we assume that we have legitimate access to the data and that we have the private key used in transactions and thus we will be able decrypt the data. The objective is to produce a suitable application framework that allows for easy recovery and secure storage of cryptographic keys; including ap-propriate tools to decapsulate traffic and to decrypt live packet streams or precaptured traffic contained in PCAP files. The resultant processing will then be able to provide a clear-text stream which can be used for further analysis.
- Full Text:
- Date Issued: 2009
Passive Traffic Inspection for Automated Firewall Rule Set Generation
- Authors: Pranschke, Georg-Christian , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428114 , vital:72487 , https://d1wqtxts1xzle7.cloudfront.net/49200001/Automated_Firewall_Rule_Set_Generation_T20160928-12076-1n830lx-libre.pdf?1475130103=andresponse-content-disposi-tion=inline%3B+filename%3DAutomated_Firewall_Rule_Set_Generation_T.pdfandExpires=1714733377andSignature=Q0miMvZNpP7c60n42m54TvFG4hIdujVJBilbpvDKquBk54RPwU22pH6-40mpmOxIFBllKUmOgZfS9SwzuiANn-AZ2bhAELyZmf2bJ5MgceaYH5wnPjX9VzP04C2BACzhO5YutUfwkysburUx-zNdiemSofx2p1DwOszXaJNauYdP8RcHQmFl8aOnkoc3kmU02eKz8WiQISntJtu5Gpo8txP-Z6f1BEzvlVGd432tndhRwpsEVWGW43~oXsdaWQu72S8pTakgKPREqaD7CUHKMXiiUBfuiSj1nFo2n4xZQlFHqbMT7TAYzBPM0GObe~kBe5s2nY6dnOMUKUsSaeTUtqA__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: The introduction of network filters and chokes such as firewalls in exist-ing operational network is often problematic, due to considerations that need to be made to minimise the interruption of existent legitimate traf-fic. This often necessitates the time consuming manual analysis of net-work traffic over a period of time in order to generate and vet the rule bases to minimise disruption of legitimate flows. To improve upon this, a system facilitating network traffic analysis and firewall rule set genera-tion is proposed. The system shall be capable to deal with the ever in-creasing traffic volumes and help to provide and maintain high uptimes. A high level overview of the design of the components is presented. Additions to the system are scoring metrics which may assist the admin-istrator to optimise the rule sets for the most efficient matching of flows, based on traffic volume, frequency or packet count. A third party pack-age-Firewall Builder-is used to target the resultant rule sets to a number of different firewall and network Filtering platforms.
- Full Text:
- Date Issued: 2009
Performance Effects of Concurrent Virtual Machine Execution in VMware Workstation 6
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429966 , vital:72655 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: The recent trend toward virtualized computing both as a means of serv-er consolidation and as a powerful desktop computing tool has lead into a wide variety of studies into the performance of hypervisor products. This study has investigated the scalability of VMware Workstation 6 on the desktop platform. We present comparative performance results for the concurrent execution of a number of virtual machines. A through statistical analysis of the performance results highlights the perfor-mance trends of different numbers of concurrent virtual machines and concludes that VMware workstation can scale in certain contexts. We find that there are different performance benefits dependant on the ap-plication and that memory intensive applications perform less effective-ly than those applications which are IO intensive. We also find that run-ning concurrent virtual machines offers a significant performance de-crease, but that the drop thereafter is less significant.
- Full Text:
- Date Issued: 2009
An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428156 , vital:72490 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225058_An_Analysis_of_Network_Scanning_Traffic_as_it_relates_to_Scan-Detec-tion_in_Network_Intrusion_Detection_Systems/links/5b3f21eaa6fdcc8506ffe659/An-Analysis-of-Network-Scanning-Traffic-as-it-relates-to-Scan-Detection-in-Network-Intrusion-Detection-Systems.pdf
- Description: Network Intrusion Detection is, in a modern network, a useful tool to de-tect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan de-tection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner. Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes Uni-versity in which these flaws are being addressed. In particular, this re-search will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into con-sideration the improvements which are identified over the course of the research.
- Full Text:
- Date Issued: 2008
An Evaluation Of Scan-Detection Algorithms In Network Intrusion Detection Systems
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
- Date Issued: 2008
Towards a taxonomy of network scanning techniques
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430310 , vital:72682 , https://doi.org/10.1145/1456659.1456660
- Description: Network scanning is a common reconnaissance activity in network in-trusion. Despite this, it's classification remains vague and detection sys-tems in current Network Intrusion Detection Systems are incapable of detecting many forms of scanning traffic. This paper presents a classi-fication of network scanning and illustrates how complex and varied this activity is. The presented classification extends previous, well known, definitions of scanning traffic in a manner which reflects this complexity.
- Full Text:
- Date Issued: 2008
A geopolitical analysis of long term internet network telescope traffic
- Authors: Irwin, Barry V W , Pilkington, Nik , Barnett, Richard J , Friedman, Blake
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428142 , vital:72489 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228848896_A_geopolitical_analysis_of_long_term_internet_network_telescope_traffic/links/53e9c5190cf2fb1b9b672aee/A-geopolitical-analysis-of-long-term-internet-network-telescope-traffic.pdf
- Description: This paper presents results form the analysis of twelve months of net-work telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are high-lighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Af-rica in particular) was also found to be surprisingly high. This unex-pected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are present-ed. It is found that a country with a high penetration of broadband con-nectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
- Full Text:
- Date Issued: 2007