An Evaluation of Text Mining Techniques in Sampling of Network Ports from IBR Traffic
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
Bolvedere: a scalable network flow threat analysis system
- Authors: Herbert, Alan
- Date: 2019
- Subjects: Bolvedere (Computer network analysis system) , Computer networks -- Scalability , Computer networks -- Measurement , Computer networks -- Security measures , Telecommunication -- Traffic -- Measurement
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/71557 , vital:29873
- Description: Since the advent of the Internet, and its public availability in the late 90’s, there have been significant advancements to network technologies and thus a significant increase of the bandwidth available to network users, both human and automated. Although this growth is of great value to network users, it has led to an increase in malicious network-based activities and it is theorized that, as more services become available on the Internet, the volume of such activities will continue to grow. Because of this, there is a need to monitor, comprehend, discern, understand and (where needed) respond to events on networks worldwide. Although this line of thought is simple in its reasoning, undertaking such a task is no small feat. Full packet analysis is a method of network surveillance that seeks out specific characteristics within network traffic that may tell of malicious activity or anomalies in regular network usage. It is carried out within firewalls and implemented through packet classification. In the context of the networks that make up the Internet, this form of packet analysis has become infeasible, as the volume of traffic introduced onto these networks every day is so large that there are simply not enough processing resources to perform such a task on every packet in real time. One could combat this problem by performing post-incident forensics; archiving packets and processing them later. However, as one cannot process all incoming packets, the archive will eventually run out of space. Full packet analysis is also hindered by the fact that some existing, commonly-used solutions are designed around a single host and single thread of execution, an outdated approach that is far slower than necessary on current computing technology. This research explores the conceptual design and implementation of a scalable network traffic analysis system named Bolvedere. Analysis performed by Bolvedere simply asks whether the existence of a connection, coupled with its associated metadata, is enough to conclude something meaningful about that connection. This idea draws away from the traditional processing of every single byte in every single packet monitored on a network link (Deep Packet Inspection) through the concept of working with connection flows. Bolvedere performs its work by leveraging the NetFlow version 9 and IPFIX protocols, but is not limited to these. It is implemented using a modular approach that allows for either complete execution of the system on a single host or the horizontal scaling out of subsystems on multiple hosts. The use of multiple hosts is achieved through the implementation of Zero Message Queue (ZMQ). This allows for Bolvedre to horizontally scale out, which results in an increase in processing resources and thus an increase in analysis throughput. This is due to ease of interprocess communications provided by ZMQ. Many underlying mechanisms in Bolvedere have been automated. This is intended to make the system more userfriendly, as the user need only tell Bolvedere what information they wish to analyse, and the system will then rebuild itself in order to achieve this required task. Bolvedere has also been hardware-accelerated through the use of Field-Programmable Gate Array (FPGA) technologies, which more than doubled the total throughput of the system.
- Full Text:
- Date Issued: 2019
- Authors: Herbert, Alan
- Date: 2019
- Subjects: Bolvedere (Computer network analysis system) , Computer networks -- Scalability , Computer networks -- Measurement , Computer networks -- Security measures , Telecommunication -- Traffic -- Measurement
- Language: English
- Type: text , Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10962/71557 , vital:29873
- Description: Since the advent of the Internet, and its public availability in the late 90’s, there have been significant advancements to network technologies and thus a significant increase of the bandwidth available to network users, both human and automated. Although this growth is of great value to network users, it has led to an increase in malicious network-based activities and it is theorized that, as more services become available on the Internet, the volume of such activities will continue to grow. Because of this, there is a need to monitor, comprehend, discern, understand and (where needed) respond to events on networks worldwide. Although this line of thought is simple in its reasoning, undertaking such a task is no small feat. Full packet analysis is a method of network surveillance that seeks out specific characteristics within network traffic that may tell of malicious activity or anomalies in regular network usage. It is carried out within firewalls and implemented through packet classification. In the context of the networks that make up the Internet, this form of packet analysis has become infeasible, as the volume of traffic introduced onto these networks every day is so large that there are simply not enough processing resources to perform such a task on every packet in real time. One could combat this problem by performing post-incident forensics; archiving packets and processing them later. However, as one cannot process all incoming packets, the archive will eventually run out of space. Full packet analysis is also hindered by the fact that some existing, commonly-used solutions are designed around a single host and single thread of execution, an outdated approach that is far slower than necessary on current computing technology. This research explores the conceptual design and implementation of a scalable network traffic analysis system named Bolvedere. Analysis performed by Bolvedere simply asks whether the existence of a connection, coupled with its associated metadata, is enough to conclude something meaningful about that connection. This idea draws away from the traditional processing of every single byte in every single packet monitored on a network link (Deep Packet Inspection) through the concept of working with connection flows. Bolvedere performs its work by leveraging the NetFlow version 9 and IPFIX protocols, but is not limited to these. It is implemented using a modular approach that allows for either complete execution of the system on a single host or the horizontal scaling out of subsystems on multiple hosts. The use of multiple hosts is achieved through the implementation of Zero Message Queue (ZMQ). This allows for Bolvedre to horizontally scale out, which results in an increase in processing resources and thus an increase in analysis throughput. This is due to ease of interprocess communications provided by ZMQ. Many underlying mechanisms in Bolvedere have been automated. This is intended to make the system more userfriendly, as the user need only tell Bolvedere what information they wish to analyse, and the system will then rebuild itself in order to achieve this required task. Bolvedere has also been hardware-accelerated through the use of Field-Programmable Gate Array (FPGA) technologies, which more than doubled the total throughput of the system.
- Full Text:
- Date Issued: 2019
Effectiveness of Sampling a Small Sized Network Telescope in Internet Background Radiation Data Collection
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427646 , vital:72453 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Net-work_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427646 , vital:72453 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Net-work_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
FPGA Based Implementation of a High Performance Scalable NetFlow Filter
- Herbert, Alan, Irwin, Barry V W, Otten, D F, Balmahoon, M R
- Authors: Herbert, Alan , Irwin, Barry V W , Otten, D F , Balmahoon, M R
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427887 , vital:72470 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622948_FPGA_Based_Implementation_of_a_High_Perfor-mance_Scalable_NetFlow_Filter/links/5b9a17a192851c4ba8181ba5/FPGA-Based-Implementation-of-a-High-Performance-Scalable-NetFlow-Filter.pdf
- Description: Full packet analysis on firewalls and intrusion detection, although effec-tive, has been found in recent times to be detrimental to the overall per-formance of networks that receive large volumes of throughput. For this reason partial packet analysis algorithms such as the NetFlow protocol have emerged to better mitigate these bottlenecks. This research delves into implementing a hardware accelerated, scalable, high per-formance system for NetFlow analysis and attack mitigation. Further-more, this implementation takes on attack mitigation through collection and processing of network flows produced at the source, rather than at the site of incident. This research platform manages to scale out its back-end through dis-tributed analysis over multiple hosts using the ZeroMQ toolset. Fur-thermore, ZeroMQ allows for multiple NetFlow data publishers, so that plug-ins can subscribe to the publishers that contain the relevant data to further increase the overall performance of the system. The dedicat-ed custom hardware optimizes the received network flows through cleaning, summarization and re-ordering into an easy to pass form when given to the sequential component of the system; this being the back-end.
- Full Text:
- Date Issued: 2015
- Authors: Herbert, Alan , Irwin, Barry V W , Otten, D F , Balmahoon, M R
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427887 , vital:72470 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622948_FPGA_Based_Implementation_of_a_High_Perfor-mance_Scalable_NetFlow_Filter/links/5b9a17a192851c4ba8181ba5/FPGA-Based-Implementation-of-a-High-Performance-Scalable-NetFlow-Filter.pdf
- Description: Full packet analysis on firewalls and intrusion detection, although effec-tive, has been found in recent times to be detrimental to the overall per-formance of networks that receive large volumes of throughput. For this reason partial packet analysis algorithms such as the NetFlow protocol have emerged to better mitigate these bottlenecks. This research delves into implementing a hardware accelerated, scalable, high per-formance system for NetFlow analysis and attack mitigation. Further-more, this implementation takes on attack mitigation through collection and processing of network flows produced at the source, rather than at the site of incident. This research platform manages to scale out its back-end through dis-tributed analysis over multiple hosts using the ZeroMQ toolset. Fur-thermore, ZeroMQ allows for multiple NetFlow data publishers, so that plug-ins can subscribe to the publishers that contain the relevant data to further increase the overall performance of the system. The dedicat-ed custom hardware optimizes the received network flows through cleaning, summarization and re-ordering into an easy to pass form when given to the sequential component of the system; this being the back-end.
- Full Text:
- Date Issued: 2015
Improving Fidelity in Internet Simulation through Packet Injection
- Koorn, Craig, Irwin, Barry V W, Herbert, Alan
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
JSON schema for attribute-based access control for network resource security
- Linklater, Gregory, Smith, Christian, Connan, James, Herbert, Alan, Irwin, Barry V W
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
Offline-First Design for Fault Tolerant Applications.
- Linklater, Gregory, Marais, Craig, Herbert, Alan, Irwin, Barry V W
- Authors: Linklater, Gregory , Marais, Craig , Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427683 , vital:72455 , https://www.researchgate.net/profile/Barry-Irwin/publication/327624337_Offline-First_Design_for_Fault_Tolerant_Applications/links/5b9a50a1458515310584ebbe/Offline-First-Design-for-Fault-Tolerant-Applications.pdf
- Description: Faults are inevitable and frustrating, as we increasingly depend on network access and the chain of services that provides it, we suffer a greater loss in productivity when any of those services fail and service delivery is suspended. This research explores connectivity and infrastructure fault tolerance through offline-first application design using techniques such as CQRS and event sourcing. To apply these techniques, this research details the design, and implementation of LOYALTY TRACKER; an offline-first, PoS system for the Android platform that was built to operate in the context of a small pub where faults are commonplace. The application demonstrates data consistency and integrity and a complete feature set that continues to operate while offline but is limited by scalability. The application successfully achieves it’s goals in the limited capacity for which it was designed.
- Full Text:
- Date Issued: 2018
- Authors: Linklater, Gregory , Marais, Craig , Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427683 , vital:72455 , https://www.researchgate.net/profile/Barry-Irwin/publication/327624337_Offline-First_Design_for_Fault_Tolerant_Applications/links/5b9a50a1458515310584ebbe/Offline-First-Design-for-Fault-Tolerant-Applications.pdf
- Description: Faults are inevitable and frustrating, as we increasingly depend on network access and the chain of services that provides it, we suffer a greater loss in productivity when any of those services fail and service delivery is suspended. This research explores connectivity and infrastructure fault tolerance through offline-first application design using techniques such as CQRS and event sourcing. To apply these techniques, this research details the design, and implementation of LOYALTY TRACKER; an offline-first, PoS system for the Android platform that was built to operate in the context of a small pub where faults are commonplace. The application demonstrates data consistency and integrity and a complete feature set that continues to operate while offline but is limited by scalability. The application successfully achieves it’s goals in the limited capacity for which it was designed.
- Full Text:
- Date Issued: 2018
Towards Enhanced Threat Intelligence Through NetFlow Distillation
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427699 , vital:72456 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624198_Towards_Enhanced_Threat_Intelligence_Through_NetFlow_Distillation/links/5b9a501fa6fdcc59bf8ee8ea/Towards-Enhanced-Threat-Intelligence-Through-NetFlow-Distillation.pdf
- Description: Bolvedere is a hardware-accelerated NetFlow analysis platform intended to discern and distribute NetFlow records in a requested format by a user. This functionality removes the need for a user to deal with the NetFlow protocol directly, and also reduces the requirement of CPU resources as data would be passed on to a host in the known requested format.
- Full Text:
- Date Issued: 2018
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427699 , vital:72456 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624198_Towards_Enhanced_Threat_Intelligence_Through_NetFlow_Distillation/links/5b9a501fa6fdcc59bf8ee8ea/Towards-Enhanced-Threat-Intelligence-Through-NetFlow-Distillation.pdf
- Description: Bolvedere is a hardware-accelerated NetFlow analysis platform intended to discern and distribute NetFlow records in a requested format by a user. This functionality removes the need for a user to deal with the NetFlow protocol directly, and also reduces the requirement of CPU resources as data would be passed on to a host in the known requested format.
- Full Text:
- Date Issued: 2018
Towards large scale software based network routing simulation
- Authors: Herbert, Alan
- Date: 2015
- Subjects: Routers (Computer networks) , Computer software , Linux
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4709 , http://hdl.handle.net/10962/d1017931
- Description: Software based routing simulators suffer from large simulation host requirements and are prone to slow downs because of resource limitations, as well as context switching due to user space to kernel space requests. Furthermore, hardware based simulations do not scale with the passing of time as their available resources are set at the time of manufacture. This research aims to provide a software based, scalable solution to network simulation. It aims to achieve this by a Linux kernel-based solution, through insertion of a custom kernel module. This will reduce the number of context switches by eliminating the user space context requirement, and serve to be highly compatible with any host that can run the Linux kernel. Through careful consideration in data structure choice and software component design, this routing simulator achieved results of over 7 Gbps of throughput over multiple simulated node hops on consumer hardware. Alongside this throughput, this routing simulator also brings to light scalability and the ability to instantiate and simulate networks in excess of 1 million routing nodes within 1 GB of system memory
- Full Text:
- Date Issued: 2015
- Authors: Herbert, Alan
- Date: 2015
- Subjects: Routers (Computer networks) , Computer software , Linux
- Language: English
- Type: Thesis , Masters , MSc
- Identifier: vital:4709 , http://hdl.handle.net/10962/d1017931
- Description: Software based routing simulators suffer from large simulation host requirements and are prone to slow downs because of resource limitations, as well as context switching due to user space to kernel space requests. Furthermore, hardware based simulations do not scale with the passing of time as their available resources are set at the time of manufacture. This research aims to provide a software based, scalable solution to network simulation. It aims to achieve this by a Linux kernel-based solution, through insertion of a custom kernel module. This will reduce the number of context switches by eliminating the user space context requirement, and serve to be highly compatible with any host that can run the Linux kernel. Through careful consideration in data structure choice and software component design, this routing simulator achieved results of over 7 Gbps of throughput over multiple simulated node hops on consumer hardware. Alongside this throughput, this routing simulator also brings to light scalability and the ability to instantiate and simulate networks in excess of 1 million routing nodes within 1 GB of system memory
- Full Text:
- Date Issued: 2015
Towards malicious network activity mitigation through subnet reputation analysis
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427799 , vital:72463 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622788_Towards_Malicious_Network_Activity_Mitigation_through_Subnet_Reputation_Analysis/links/5b9a1a88458515310583fda6/Towards-Malicious-Network-Activity-Mitigation-through-Subnet-Reputation-Analysis.pdf
- Description: Analysis technologies that focus on partial packet rather than full packet analysis have shown promise in detection of malicious activity on net-works. NetFlow is one such emergent protocol that is used to log net-work flows through summarizing key features of them. These logs can then be exported to external NetFlow sinks and proper configuration can see effective bandwidth bottleneck mitigation occurring on net-works. Furthermore, each NetFlow source node is configurable with its own unique ID number. This feature enables a system that knows where a NetFlow source node ID number resides physically to say which network flows are occurring from which physical locations irre-spective of the IP addresses involved in these network flows.
- Full Text:
- Date Issued: 2016
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427799 , vital:72463 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622788_Towards_Malicious_Network_Activity_Mitigation_through_Subnet_Reputation_Analysis/links/5b9a1a88458515310583fda6/Towards-Malicious-Network-Activity-Mitigation-through-Subnet-Reputation-Analysis.pdf
- Description: Analysis technologies that focus on partial packet rather than full packet analysis have shown promise in detection of malicious activity on net-works. NetFlow is one such emergent protocol that is used to log net-work flows through summarizing key features of them. These logs can then be exported to external NetFlow sinks and proper configuration can see effective bandwidth bottleneck mitigation occurring on net-works. Furthermore, each NetFlow source node is configurable with its own unique ID number. This feature enables a system that knows where a NetFlow source node ID number resides physically to say which network flows are occurring from which physical locations irre-spective of the IP addresses involved in these network flows.
- Full Text:
- Date Issued: 2016
Weems: An extensible HTTP honeypot
- Pearson, Deon, Irwin, Barry V W, Herbert, Alan
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
- «
- ‹
- 1
- ›
- »