Towards Central Vulnerability Management By Mobile Phone Operators
- Moyo, Thamsanqa, Irwin, Barry V W, Wright, Madeleine
- Authors: Moyo, Thamsanqa , Irwin, Barry V W , Wright, Madeleine
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428787 , vital:72536 , https://www.researchgate.net/profile/Barry-Ir-win/publication/237107512_Securing_mobile_commerce_interactions_through_secure_mobile_web_services/links/5b9a5898a6fdccd3cb4ff6cf/Securing-mobile-commerce-interactions-through-secure-mobile-web-services.pdf
- Description: The application of XML-based approaches in passing vulnerability in-formation between vulnerability management devices or software resid-ing on wired networks has been demonstrated. We propose a proof of concept framework for mobile operators that extends this use of XML into the area of vulnerability management on public land mobile net-works. Our proposed framework allows for a pro-active central man-agement of vulnerabilities found on mobile stations such as mobile phones. Despite the relatively limited number of reported vulnerabilities on mobile stations, such a pre-emptive approach from mobile operators is necessary to acquire the confidence of early adopters in Mobile Commerce. Given the diverse collection of devices and software that exist on a public land mobile network, XML-based approaches are best able to providing the inter-operability required for vulnerability manage-ment on such a network. Our proposed framework leverages web ser-vices by using the Open Vulnerability Assessment Language (OVAL) to provide vulnerability descriptions, and by securing these descriptions in SOAP messages conforming to the OASIS Web Services Security (WSS) standard. We contribute in three areas: firstly, through this framework we show that mobile operators can carry out centralized vul-nerability management on their public land mobile networks comprising of a wide variety of devices and software. Secondly, the assurance of integrity, confidentiality and non-repudiation inherently lacking in OVAL vulnerability descriptions is achieved through their encapsulation in SOAP messages conforming to the OASIS WSS standard. Thirdly, SOAP-based web service implementations allow for integration with vulnerability management tools and devices that do not conform to OVAL.
- Full Text:
- Date Issued: 2006
- Authors: Moyo, Thamsanqa , Irwin, Barry V W , Wright, Madeleine
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428787 , vital:72536 , https://www.researchgate.net/profile/Barry-Ir-win/publication/237107512_Securing_mobile_commerce_interactions_through_secure_mobile_web_services/links/5b9a5898a6fdccd3cb4ff6cf/Securing-mobile-commerce-interactions-through-secure-mobile-web-services.pdf
- Description: The application of XML-based approaches in passing vulnerability in-formation between vulnerability management devices or software resid-ing on wired networks has been demonstrated. We propose a proof of concept framework for mobile operators that extends this use of XML into the area of vulnerability management on public land mobile net-works. Our proposed framework allows for a pro-active central man-agement of vulnerabilities found on mobile stations such as mobile phones. Despite the relatively limited number of reported vulnerabilities on mobile stations, such a pre-emptive approach from mobile operators is necessary to acquire the confidence of early adopters in Mobile Commerce. Given the diverse collection of devices and software that exist on a public land mobile network, XML-based approaches are best able to providing the inter-operability required for vulnerability manage-ment on such a network. Our proposed framework leverages web ser-vices by using the Open Vulnerability Assessment Language (OVAL) to provide vulnerability descriptions, and by securing these descriptions in SOAP messages conforming to the OASIS Web Services Security (WSS) standard. We contribute in three areas: firstly, through this framework we show that mobile operators can carry out centralized vul-nerability management on their public land mobile networks comprising of a wide variety of devices and software. Secondly, the assurance of integrity, confidentiality and non-repudiation inherently lacking in OVAL vulnerability descriptions is achieved through their encapsulation in SOAP messages conforming to the OASIS WSS standard. Thirdly, SOAP-based web service implementations allow for integration with vulnerability management tools and devices that do not conform to OVAL.
- Full Text:
- Date Issued: 2006
Towards a Classification of Intrusion Strength
- Motara, Yusuf M, Irwin, Barry V W
- Authors: Motara, Yusuf M , Irwin, Barry V W
- Date: 2005
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428261 , vital:72498 , https://www.researchgate.net/profile/Yusuf-Mota-ra/publication/267206150_Towards_a_Classification_of_Intru-sion_Strength/links/547485820cf245eb436de34e/Towards-a-Classification-of-Intrusion-Strength.pdf
- Description: This paper proposes a new term, “intrusion strength”, for use by the se-curity community and those affected by compromised systems. It justi-fies the usefulness of such a term, proposes a preliminary ranking of intrusion strength factors, and concludes by mentioning the work nec-essary to create a full taxonomy of intrusion strength.
- Full Text:
- Date Issued: 2005
- Authors: Motara, Yusuf M , Irwin, Barry V W
- Date: 2005
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428261 , vital:72498 , https://www.researchgate.net/profile/Yusuf-Mota-ra/publication/267206150_Towards_a_Classification_of_Intru-sion_Strength/links/547485820cf245eb436de34e/Towards-a-Classification-of-Intrusion-Strength.pdf
- Description: This paper proposes a new term, “intrusion strength”, for use by the se-curity community and those affected by compromised systems. It justi-fies the usefulness of such a term, proposes a preliminary ranking of intrusion strength factors, and concludes by mentioning the work nec-essary to create a full taxonomy of intrusion strength.
- Full Text:
- Date Issued: 2005
A unified patch management architecture
- White, Dominic, Irwin, Barry V W
- Authors: White, Dominic , Irwin, Barry V W
- Date: 2004
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428312 , vital:72502 , https://d1wqtxts1xzle7.cloudfront.net/49200003/A_Unified_Patch_Management_Architecture20160928-23008-tl6zi6-libre.pdf?1475130102=andresponse-content-disposi-tion=inline;+filename=A_Unified_Patch_Management_Architecture.pdfandExpires=1714792674andSignature=JMVkFUbxZO5SzFTdhoeVBJk99hD~p5HQhSlLP0sgvU6p6hRRILz8dWwB9M1OPLXDnqYG3RLWyomwNweZtQpFuFwMgyx-EV~7TA0wkCAfzQr0N9YoOjbwcbHA5Fse1c3zFw7rtpwUYoEPyO17TWplLI7IkVArlotnG~3AWf1AKVmhWQ2gvfXAEi361XRwOFlC1d2XLiKQhVTafh7OrAuGt7EDUKuczw1K4u7YZxi5I7ty~704aTvILlKoVkBpVnYC1U3sVmj8BixFhY84MYD~YvM6ym3bVkitE1iDrpFjH40nR8QF5jpkOurB~aikFgNmB1WNXo8kHbyRAjciZQOYhOg__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: This paper attempts to address the issue of harden-ing the internal security of an organisation’s network by easing its patch management. A unified architecture to aid with this process is proposed, with the view towards the implementation of an open source, cross platform tool to solve this problem.
- Full Text:
- Date Issued: 2004
- Authors: White, Dominic , Irwin, Barry V W
- Date: 2004
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428312 , vital:72502 , https://d1wqtxts1xzle7.cloudfront.net/49200003/A_Unified_Patch_Management_Architecture20160928-23008-tl6zi6-libre.pdf?1475130102=andresponse-content-disposi-tion=inline;+filename=A_Unified_Patch_Management_Architecture.pdfandExpires=1714792674andSignature=JMVkFUbxZO5SzFTdhoeVBJk99hD~p5HQhSlLP0sgvU6p6hRRILz8dWwB9M1OPLXDnqYG3RLWyomwNweZtQpFuFwMgyx-EV~7TA0wkCAfzQr0N9YoOjbwcbHA5Fse1c3zFw7rtpwUYoEPyO17TWplLI7IkVArlotnG~3AWf1AKVmhWQ2gvfXAEi361XRwOFlC1d2XLiKQhVTafh7OrAuGt7EDUKuczw1K4u7YZxi5I7ty~704aTvILlKoVkBpVnYC1U3sVmj8BixFhY84MYD~YvM6ym3bVkitE1iDrpFjH40nR8QF5jpkOurB~aikFgNmB1WNXo8kHbyRAjciZQOYhOg__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: This paper attempts to address the issue of harden-ing the internal security of an organisation’s network by easing its patch management. A unified architecture to aid with this process is proposed, with the view towards the implementation of an open source, cross platform tool to solve this problem.
- Full Text:
- Date Issued: 2004
A privacy and security threat assessment framework for consumer health wearables
- Mnjama, Javan, Foster, Gregory G, Irwin, Barry V W
- Authors: Mnjama, Javan , Foster, Gregory G , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429217 , vital:72568 , https://ieeexplore.ieee.org/abstract/document/8251776
- Description: Health data is important as it provides an individual with knowledge of the factors needed to be improved for oneself. The development of fitness trackers and their associated software aid consumers to understand the manner in which they may improve their physical wellness. These devices are capable of collecting health data for a consumer such sleeping patterns, heart rate readings or the number of steps taken by an individual. Although, this information is very beneficial to guide a consumer to a better healthier state, it has been identified that they have privacy and security concerns. Privacy and Security are of great concern for fitness trackers and their associated applications as protecting health data is of critical importance. This is so, as health data is one of the highly sort after information by cyber criminals. Fitness trackers and their associated applications have been identified to contain privacy and security concerns that places the health data of consumers at risk to intruders. As the study of Consumer Health continues to grow it is vital to understand the elements that are needed to better protect the health information of a consumer. This research paper therefore provides a conceptual threat assessment framework that can be used to identify the elements needed to better secure Consumer Health Wearables. These elements consist of six core elements from the CIA triad and Microsoft STRIDE framework. Fourteen vulnerabilities were further discovered that were classified within these six core elements. Through this, better guidance can be achieved to improve the privacy and security of Consumer Health Wearables.
- Full Text:
- Date Issued: 2017
- Authors: Mnjama, Javan , Foster, Gregory G , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429217 , vital:72568 , https://ieeexplore.ieee.org/abstract/document/8251776
- Description: Health data is important as it provides an individual with knowledge of the factors needed to be improved for oneself. The development of fitness trackers and their associated software aid consumers to understand the manner in which they may improve their physical wellness. These devices are capable of collecting health data for a consumer such sleeping patterns, heart rate readings or the number of steps taken by an individual. Although, this information is very beneficial to guide a consumer to a better healthier state, it has been identified that they have privacy and security concerns. Privacy and Security are of great concern for fitness trackers and their associated applications as protecting health data is of critical importance. This is so, as health data is one of the highly sort after information by cyber criminals. Fitness trackers and their associated applications have been identified to contain privacy and security concerns that places the health data of consumers at risk to intruders. As the study of Consumer Health continues to grow it is vital to understand the elements that are needed to better protect the health information of a consumer. This research paper therefore provides a conceptual threat assessment framework that can be used to identify the elements needed to better secure Consumer Health Wearables. These elements consist of six core elements from the CIA triad and Microsoft STRIDE framework. Fourteen vulnerabilities were further discovered that were classified within these six core elements. Through this, better guidance can be achieved to improve the privacy and security of Consumer Health Wearables.
- Full Text:
- Date Issued: 2017
Rich Representation and Visualisation of Time-Series Data
- Kerr, Simon, Foster, Gregory G, Irwin, Barry V W
- Authors: Kerr, Simon , Foster, Gregory G , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428130 , vital:72488 , https://www.researchgate.net/profile/Barry-Ir-win/publication/265821926_Rich_Representation_and_Visualisation_of_Time-Series_Data/links/5548a1350cf26a7bf4daefb1/Rich-Representation-and-Visualisation-of-Time-Series-Data.pdf
- Description: Currently the majority of data is visualized using static graphs and ta-bles. However, static graphs still leave much to be desired and provide only a small insight into trends and changes between values. We pro-pose a move away from purely static representations of data towards a more fluid and understandable environment for data representation. This is achieved through the use of an application which animates time based data. Animating time based data allows one to see nuances within a dataset from a more comprehensive perspective. This is espe-cially useful within the time based data rich telecommunications indus-try. The application comprises of two parts-the backend manages raw data which is then passed to the frontend for animation. A play function allows one to play through a time series. Which creates a fluid and dy-namic environment for exploring data. Both the advantages and disad-vantages of this approach are investigated and an application is intro-duced which can be used to animate and explore datasets.
- Full Text:
- Date Issued: 2009
- Authors: Kerr, Simon , Foster, Gregory G , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428130 , vital:72488 , https://www.researchgate.net/profile/Barry-Ir-win/publication/265821926_Rich_Representation_and_Visualisation_of_Time-Series_Data/links/5548a1350cf26a7bf4daefb1/Rich-Representation-and-Visualisation-of-Time-Series-Data.pdf
- Description: Currently the majority of data is visualized using static graphs and ta-bles. However, static graphs still leave much to be desired and provide only a small insight into trends and changes between values. We pro-pose a move away from purely static representations of data towards a more fluid and understandable environment for data representation. This is achieved through the use of an application which animates time based data. Animating time based data allows one to see nuances within a dataset from a more comprehensive perspective. This is espe-cially useful within the time based data rich telecommunications indus-try. The application comprises of two parts-the backend manages raw data which is then passed to the frontend for animation. A play function allows one to play through a time series. Which creates a fluid and dy-namic environment for exploring data. Both the advantages and disad-vantages of this approach are investigated and an application is intro-duced which can be used to animate and explore datasets.
- Full Text:
- Date Issued: 2009
A sandbox-based approach to the deobfuscation and dissection of php-based malware
- Wrench, Peter M, Irwin, Barry V W
- Authors: Wrench, Peter M , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429258 , vital:72571 , 10.23919/SAIEE.2015.8531886
- Description: The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by making use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.
- Full Text:
- Date Issued: 2015
- Authors: Wrench, Peter M , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429258 , vital:72571 , 10.23919/SAIEE.2015.8531886
- Description: The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by making use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.
- Full Text:
- Date Issued: 2015
A multi-threading approach to secure VERIFYPIN
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
Design and application of link: A DSL for network frame manipulation
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429230 , vital:72569 , https://ieeexplore.ieee.org/abstract/document/8251774
- Description: This paper describes the design and application of Link, a Domain Specific Language (DSL) targeting the development of network applications focused on traffic manipulation at the frame level. The development of Link is described through the identification and evaluation of intended applications and an example translator is implemented to target the FRAME board which was developed in conjunction with this research. Four application examples are then provided to help describe the feasibility of Link when used in conjunction with the implemented translator.
- Full Text:
- Date Issued: 2017
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429230 , vital:72569 , https://ieeexplore.ieee.org/abstract/document/8251774
- Description: This paper describes the design and application of Link, a Domain Specific Language (DSL) targeting the development of network applications focused on traffic manipulation at the frame level. The development of Link is described through the identification and evaluation of intended applications and an example translator is implemented to target the FRAME board which was developed in conjunction with this research. Four application examples are then provided to help describe the feasibility of Link when used in conjunction with the implemented translator.
- Full Text:
- Date Issued: 2017
In-kernel cryptographic executable verification
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2005
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429049 , vital:72556 , https://doi.org/10.1007/0-387-31163-7_25
- Description: This paper discusses the problems posed by Trojan horses and unauthorized code, and reviews existing solutions for dealing with them. A technique involving the in-kernel verification of executables is proposed. Its advantages include simplicity, transparency, ease of use and minimal setup time. In addition, the technique has several applications, including assisting with honeypot implementations, incident response and forensic investigations.
- Full Text:
- Date Issued: 2005
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2005
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429049 , vital:72556 , https://doi.org/10.1007/0-387-31163-7_25
- Description: This paper discusses the problems posed by Trojan horses and unauthorized code, and reviews existing solutions for dealing with them. A technique involving the in-kernel verification of executables is proposed. Its advantages include simplicity, transparency, ease of use and minimal setup time. In addition, the technique has several applications, including assisting with honeypot implementations, incident response and forensic investigations.
- Full Text:
- Date Issued: 2005
Adaptable exploit detection through scalable netflow analysis
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
Characterization and analysis of NTP amplification based DDoS attacks
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429285 , vital:72573 , 10.1109/ISSA.2015.7335069
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values, as a whole, are then analysed to find the total number used throughout each attack. The most frequent TTL values are then found and show that the migratory of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting.
- Full Text:
- Date Issued: 2015
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429285 , vital:72573 , 10.1109/ISSA.2015.7335069
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values, as a whole, are then analysed to find the total number used throughout each attack. The most frequent TTL values are then found and show that the migratory of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting.
- Full Text:
- Date Issued: 2015
Performance Effects of Concurrent Virtual Machine Execution in VMware Workstation 6
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429966 , vital:72655 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: The recent trend toward virtualized computing both as a means of serv-er consolidation and as a powerful desktop computing tool has lead into a wide variety of studies into the performance of hypervisor products. This study has investigated the scalability of VMware Workstation 6 on the desktop platform. We present comparative performance results for the concurrent execution of a number of virtual machines. A through statistical analysis of the performance results highlights the perfor-mance trends of different numbers of concurrent virtual machines and concludes that VMware workstation can scale in certain contexts. We find that there are different performance benefits dependant on the ap-plication and that memory intensive applications perform less effective-ly than those applications which are IO intensive. We also find that run-ning concurrent virtual machines offers a significant performance de-crease, but that the drop thereafter is less significant.
- Full Text:
- Date Issued: 2009
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429966 , vital:72655 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: The recent trend toward virtualized computing both as a means of serv-er consolidation and as a powerful desktop computing tool has lead into a wide variety of studies into the performance of hypervisor products. This study has investigated the scalability of VMware Workstation 6 on the desktop platform. We present comparative performance results for the concurrent execution of a number of virtual machines. A through statistical analysis of the performance results highlights the perfor-mance trends of different numbers of concurrent virtual machines and concludes that VMware workstation can scale in certain contexts. We find that there are different performance benefits dependant on the ap-plication and that memory intensive applications perform less effective-ly than those applications which are IO intensive. We also find that run-ning concurrent virtual machines offers a significant performance de-crease, but that the drop thereafter is less significant.
- Full Text:
- Date Issued: 2009
Mapping the most significant computer hacking events to a temporal computer attack model
- Van Heerden, Renier, Pieterse, Heloise, Irwin, Barry V W
- Authors: Van Heerden, Renier , Pieterse, Heloise , Irwin, Barry V W
- Date: 2012
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429950 , vital:72654 , https://doi.org/10.1007/978-3-642-33332-3_21
- Description: This paper presents eight of the most significant computer hacking events (also known as computer attacks). These events were selected because of their unique impact, methodology, or other properties. A temporal computer attack model is presented that can be used to model computer based attacks. This model consists of the following stages: Target Identification, Reconnaissance, Attack, and Post-Attack Recon-naissance stages. The Attack stage is separated into: Ramp-up, Dam-age and Residue. This paper demonstrates how our eight significant hacking events are mapped to the temporal computer attack model. The temporal computer attack model becomes a valuable asset in the protection of critical infrastructure by being able to detect similar attacks earlier.
- Full Text:
- Date Issued: 2012
- Authors: Van Heerden, Renier , Pieterse, Heloise , Irwin, Barry V W
- Date: 2012
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429950 , vital:72654 , https://doi.org/10.1007/978-3-642-33332-3_21
- Description: This paper presents eight of the most significant computer hacking events (also known as computer attacks). These events were selected because of their unique impact, methodology, or other properties. A temporal computer attack model is presented that can be used to model computer based attacks. This model consists of the following stages: Target Identification, Reconnaissance, Attack, and Post-Attack Recon-naissance stages. The Attack stage is separated into: Ramp-up, Dam-age and Residue. This paper demonstrates how our eight significant hacking events are mapped to the temporal computer attack model. The temporal computer attack model becomes a valuable asset in the protection of critical infrastructure by being able to detect similar attacks earlier.
- Full Text:
- Date Issued: 2012
An Investigation into the Performance of General Sorting on Graphics Processing Units
- Pilkington, Nick, Irwin, Barry V W
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429881 , vital:72648 , https://doi.org/10.1007/978-1-4020-8741-7_65
- Description: Sorting is a fundamental operation in computing and there is a constant need to push the boundaries of performance with different sorting algo-rithms. With the advent of the programmable graphics pipeline, the par-allel nature of graphics processing units has been exposed allowing programmers to take advantage of it. By transforming the way that data is represented and operated on parallel sorting algorithms can be im-plemented on graphics processing units where previously only graphics processing could be performed. This paradigm of programming exhibits potentially large speedups for algorithms.
- Full Text:
- Date Issued: 2008
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429881 , vital:72648 , https://doi.org/10.1007/978-1-4020-8741-7_65
- Description: Sorting is a fundamental operation in computing and there is a constant need to push the boundaries of performance with different sorting algo-rithms. With the advent of the programmable graphics pipeline, the par-allel nature of graphics processing units has been exposed allowing programmers to take advantage of it. By transforming the way that data is represented and operated on parallel sorting algorithms can be im-plemented on graphics processing units where previously only graphics processing could be performed. This paradigm of programming exhibits potentially large speedups for algorithms.
- Full Text:
- Date Issued: 2008
In-kernel cryptographic executable verification
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2005
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429937 , vital:72653 , https://doi.org/10.1007/0-387-31163-7_25
- Description: This paper discusses the problems posed by Trojan horses and unau-thorized code, and reviews existing solutions for dealing with them. A technique involving the in-kernel verification of executables is pro-posed. Its advantages include simplicity, transparency, ease of use and minimal setup time. In addition, the technique has several applications, including assisting with honeypot implementations, incident response and forensic investigations.
- Full Text:
- Date Issued: 2005
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2005
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429937 , vital:72653 , https://doi.org/10.1007/0-387-31163-7_25
- Description: This paper discusses the problems posed by Trojan horses and unau-thorized code, and reviews existing solutions for dealing with them. A technique involving the in-kernel verification of executables is pro-posed. Its advantages include simplicity, transparency, ease of use and minimal setup time. In addition, the technique has several applications, including assisting with honeypot implementations, incident response and forensic investigations.
- Full Text:
- Date Issued: 2005
Human perception of the measurement of a network attack taxonomy in near real-time
- Van Heerden, Renier, Malan, Mercia M, Mouton, Francois, Irwin, Barry V W
- Authors: Van Heerden, Renier , Malan, Mercia M , Mouton, Francois , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429924 , vital:72652 , https://doi.org/10.1007/978-3-662-44208-1_23
- Description: This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.
- Full Text:
- Date Issued: 2014
- Authors: Van Heerden, Renier , Malan, Mercia M , Mouton, Francois , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429924 , vital:72652 , https://doi.org/10.1007/978-3-662-44208-1_23
- Description: This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.
- Full Text:
- Date Issued: 2014
High level internet scale traffic visualization using hilbert curve mapping
- Irwin, Barry V W, Pilkington, Nick
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Date Issued: 2008
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Date Issued: 2008
Guidelines for Constructing Robust Discrete-Time Computer Network Simulations
- Richter, John, Irwin, Barry V W
- Authors: Richter, John , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429896 , vital:72649 , https://doi.org/10.1007/978-1-4020-8737-0_69
- Description: Developing network simulations is a complex task that is often per-formed in research and testing. The components required to build a network simulator are common to many solutions. In order to expedite further simulation development, these components have been outlined and detailed in this paper. The process for generating and using these components is then detailed, and an example of a simulator that has been implemented using this system, is detailed
- Full Text:
- Date Issued: 2008
- Authors: Richter, John , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429896 , vital:72649 , https://doi.org/10.1007/978-1-4020-8737-0_69
- Description: Developing network simulations is a complex task that is often per-formed in research and testing. The components required to build a network simulator are common to many solutions. In order to expedite further simulation development, these components have been outlined and detailed in this paper. The process for generating and using these components is then detailed, and an example of a simulator that has been implemented using this system, is detailed
- Full Text:
- Date Issued: 2008
Dridex: Analysis of the traffic and automatic generation of IOCs
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429525 , vital:72619 , https://ieeexplore.ieee.org/abstract/document/7802932
- Description: In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429525 , vital:72619 , https://ieeexplore.ieee.org/abstract/document/7802932
- Description: In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.
- Full Text:
- Date Issued: 2016
Characterization and Analysis of NTP Amplifier Traffic
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429482 , vital:72616 , 10.23919/SAIEE.2016.8531542
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to find the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429482 , vital:72616 , 10.23919/SAIEE.2016.8531542
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to find the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.
- Full Text:
- Date Issued: 2016