Data classification for artificial intelligence construct training to aid in network incident identification using network telescope data
- Cowie, Bradley, Irwin, Barry V W
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2010
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430125 , vital:72667 , https://doi.org/10.1145/1899503.1899544
- Description: This paper considers the complexities involved in obtaining training da-ta for use by artificial intelligence constructs to identify potential network incidents using passive network telescope data. While a large amount of data obtained from network telescopes exists, this data is not current-ly marked for known incidents. Problems related to this marking process include the accuracy of the markings, the validity of the original data and the time involved. In an attempt to solve these issues two methods of training data generation are considered namely; manual identification and automated generation. The manual technique considers heuristics for finding network incidents while the automated technique considers building simulated data sets using existing models of virus propagation and malicious activity. An example artificial intelligence system is then constructed using these marked datasets.
- Full Text:
- Date Issued: 2010
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2010
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430125 , vital:72667 , https://doi.org/10.1145/1899503.1899544
- Description: This paper considers the complexities involved in obtaining training da-ta for use by artificial intelligence constructs to identify potential network incidents using passive network telescope data. While a large amount of data obtained from network telescopes exists, this data is not current-ly marked for known incidents. Problems related to this marking process include the accuracy of the markings, the validity of the original data and the time involved. In an attempt to solve these issues two methods of training data generation are considered namely; manual identification and automated generation. The manual technique considers heuristics for finding network incidents while the automated technique considers building simulated data sets using existing models of virus propagation and malicious activity. An example artificial intelligence system is then constructed using these marked datasets.
- Full Text:
- Date Issued: 2010
Parallel packet classification using GPU co-processors
- Nottingham, Alistair, Irwin, Barry V W
- Authors: Nottingham, Alistair , Irwin, Barry V W
- Date: 2010
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430250 , vital:72677 , https://doi.org/10.1145/1899503.1899529
- Description: In the domain of network security, packet filtering for classification pur-poses is of significant interest. Packet classification provides a mecha-nism for understanding the composition of packet streams arriving at distinct network interfaces, and is useful in diagnosing threats and un-covering vulnerabilities so as to maximise data integrity and system se-curity. Traditional packet classifiers, such as PCAP, have utilised Con-trol Flow Graphs (CFGs) in representing filter sets, due to both their amenability to optimisation, and their inherent structural applicability to the metaphor of decision-based classification. Unfortunately, CFGs do not map well to cooperative processing implementations, and single-threaded CPU-based implementations have proven too slow for real-time classification against multiple arbitrary filters on next generation networks. In this paper, we consider a novel multithreaded classification algorithm, optimised for execution on GPU co-processors, intended to accelerate classification throughput and maximise processing efficien-cy in a highly parallel execution context.
- Full Text:
- Date Issued: 2010
- Authors: Nottingham, Alistair , Irwin, Barry V W
- Date: 2010
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430250 , vital:72677 , https://doi.org/10.1145/1899503.1899529
- Description: In the domain of network security, packet filtering for classification pur-poses is of significant interest. Packet classification provides a mecha-nism for understanding the composition of packet streams arriving at distinct network interfaces, and is useful in diagnosing threats and un-covering vulnerabilities so as to maximise data integrity and system se-curity. Traditional packet classifiers, such as PCAP, have utilised Con-trol Flow Graphs (CFGs) in representing filter sets, due to both their amenability to optimisation, and their inherent structural applicability to the metaphor of decision-based classification. Unfortunately, CFGs do not map well to cooperative processing implementations, and single-threaded CPU-based implementations have proven too slow for real-time classification against multiple arbitrary filters on next generation networks. In this paper, we consider a novel multithreaded classification algorithm, optimised for execution on GPU co-processors, intended to accelerate classification throughput and maximise processing efficien-cy in a highly parallel execution context.
- Full Text:
- Date Issued: 2010
A Comparison Of The Resource Requirements Of Snort And Bro In Production Networks
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430040 , vital:72661 , https://www.iadisportal.org/applied-computing-2009-proceedings
- Description: Intrusion Detection is essential in modern networking. However, with the increas-ing load on modern networks, the resource requirements of NIDS are significant. This paper explores and compares the requirements of Snort and Bro, and finds that Snort is more efficient at processing network traffic than Bro. It also finds that both systems are capable of analysing current network loads on commodity hardware, but may be unable to do so for higher bandwidth networks. This is ben-eficial in a South African context due to the increasing international bandwidth that will come online with the launch of the SEACOM Cable, and local projects such as SANREN.
- Full Text:
- Date Issued: 2009
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430040 , vital:72661 , https://www.iadisportal.org/applied-computing-2009-proceedings
- Description: Intrusion Detection is essential in modern networking. However, with the increas-ing load on modern networks, the resource requirements of NIDS are significant. This paper explores and compares the requirements of Snort and Bro, and finds that Snort is more efficient at processing network traffic than Bro. It also finds that both systems are capable of analysing current network loads on commodity hardware, but may be unable to do so for higher bandwidth networks. This is ben-eficial in a South African context due to the increasing international bandwidth that will come online with the launch of the SEACOM Cable, and local projects such as SANREN.
- Full Text:
- Date Issued: 2009
A Framework for the Rapid Development of Anomaly Detection Algorithms in Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428644 , vital:72526 , https://www.researchgate.net/profile/Johan-Van-Niekerk-2/publication/220803295_E-mail_Security_awareness_at_Nelson_Mandela_Metropolitan_University_Registrar's_Division/links/0deec51909304b0ed8000000/E-mail-Security-awareness-at-Nelson-Mandela-Metropolitan-University-Registrars-Division.pdf#page=289
- Description: Most current Network Intrusion Detection Systems (NIDS) perform de-tection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the sys-tem to deploy new algorithms.
- Full Text:
- Date Issued: 2009
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428644 , vital:72526 , https://www.researchgate.net/profile/Johan-Van-Niekerk-2/publication/220803295_E-mail_Security_awareness_at_Nelson_Mandela_Metropolitan_University_Registrar's_Division/links/0deec51909304b0ed8000000/E-mail-Security-awareness-at-Nelson-Mandela-Metropolitan-University-Registrars-Division.pdf#page=289
- Description: Most current Network Intrusion Detection Systems (NIDS) perform de-tection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the sys-tem to deploy new algorithms.
- Full Text:
- Date Issued: 2009
An analysis of logical network distance on observed packet counts for network telescope data
- Irwin, Barry V W, Barnett, Richard J
- Authors: Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428090 , vital:72485 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228765119_An_Analysis_of_Logical_Network_Distance_on_Observed_Packet_Counts_for_Network_Telescope_Data/links/53e9c5e80cf28f342f414988/An-Analysis-of-Logical-Network-Distance-on-Observed-Packet-Counts-for-Network-Telescope-Data.pdf
- Description: This paper investigates the relationship between the logical distance between two IP addresses on the Internet, and the number of packets captured by a network telescope listening on a network containing one of the addresses. The need for the computation of a manageable measure of quantification of this distance is presented, as an alterna-tive to the raw difference that can be computed between two addresses using their Integer representations. A number of graphical analysis tools and techniques are presented to aid in this analysis. Findings are pre-sented based on a long baseline data set collected at Rhodes Universi-ty over the last three years, using a dedicated Class C (256 IP address) sensor network, and comprising 19 million packets. Of this total, 27% by packet volume originate within the same natural class A network as the telescope, and as such can be seen to be logically close to the collector network.
- Full Text:
- Date Issued: 2009
- Authors: Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428090 , vital:72485 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228765119_An_Analysis_of_Logical_Network_Distance_on_Observed_Packet_Counts_for_Network_Telescope_Data/links/53e9c5e80cf28f342f414988/An-Analysis-of-Logical-Network-Distance-on-Observed-Packet-Counts-for-Network-Telescope-Data.pdf
- Description: This paper investigates the relationship between the logical distance between two IP addresses on the Internet, and the number of packets captured by a network telescope listening on a network containing one of the addresses. The need for the computation of a manageable measure of quantification of this distance is presented, as an alterna-tive to the raw difference that can be computed between two addresses using their Integer representations. A number of graphical analysis tools and techniques are presented to aid in this analysis. Findings are pre-sented based on a long baseline data set collected at Rhodes Universi-ty over the last three years, using a dedicated Class C (256 IP address) sensor network, and comprising 19 million packets. Of this total, 27% by packet volume originate within the same natural class A network as the telescope, and as such can be seen to be logically close to the collector network.
- Full Text:
- Date Issued: 2009
Automated Firewall Rule Set Generation Through Passive Traffic Inspection
- Pranschke, Georg-Christian, Irwin, Barry V W, Barnett, Richard J
- Authors: Pranschke, Georg-Christian , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428659 , vital:72527 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: Introducing rewalls and other choke point controls in existing networks is often problematic, because in the majority of cases there is already production tra c in place that cannot be interrupted. This often necessitates the time consuming manual analysis of network tra c in order to ensure that when a new system is installed, there is no disruption to legitimate ows. To improve upon this situation it is proposed that a system facilitating network tra c analysis and rewall rule set generation is developed.
- Full Text:
- Date Issued: 2009
- Authors: Pranschke, Georg-Christian , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428659 , vital:72527 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: Introducing rewalls and other choke point controls in existing networks is often problematic, because in the majority of cases there is already production tra c in place that cannot be interrupted. This often necessitates the time consuming manual analysis of network tra c in order to ensure that when a new system is installed, there is no disruption to legitimate ows. To improve upon this situation it is proposed that a system facilitating network tra c analysis and rewall rule set generation is developed.
- Full Text:
- Date Issued: 2009
Evaluating text preprocessing to improve compression on maillogs
- Otten, Fred, Irwin, Barry V W, Thinyane, Hannah
- Authors: Otten, Fred , Irwin, Barry V W , Thinyane, Hannah
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430138 , vital:72668 , https://doi.org/10.1145/1632149.1632157
- Description: Maillogs contain important information about mail which has been sent or received. This information can be used for statistical purposes, to help prevent viruses or to help prevent SPAM. In order to satisfy regula-tions and follow good security practices, maillogs need to be monitored and archived. Since there is a large quantity of data, some form of data reduction is necessary. Data compression programs such as gzip and bzip2 are commonly used to reduce the quantity of data. Text preprocessing can be used to aid the compression of English text files. This paper evaluates whether text preprocessing, particularly word replacement, can be used to improve the compression of maillogs. It presents an algorithm for constructing a dictionary for word replacement and provides the results of experiments conducted using the ppmd, gzip, bzip2 and 7zip programs. These tests show that text prepro-cessing improves data compression on maillogs. Improvements of up to 56 percent in compression time and up to 32 percent in compression ratio are achieved. It also shows that a dictionary may be generated and used on other maillogs to yield reductions within half a percent of the results achieved for the maillog used to generate the dictionary.
- Full Text:
- Date Issued: 2009
- Authors: Otten, Fred , Irwin, Barry V W , Thinyane, Hannah
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430138 , vital:72668 , https://doi.org/10.1145/1632149.1632157
- Description: Maillogs contain important information about mail which has been sent or received. This information can be used for statistical purposes, to help prevent viruses or to help prevent SPAM. In order to satisfy regula-tions and follow good security practices, maillogs need to be monitored and archived. Since there is a large quantity of data, some form of data reduction is necessary. Data compression programs such as gzip and bzip2 are commonly used to reduce the quantity of data. Text preprocessing can be used to aid the compression of English text files. This paper evaluates whether text preprocessing, particularly word replacement, can be used to improve the compression of maillogs. It presents an algorithm for constructing a dictionary for word replacement and provides the results of experiments conducted using the ppmd, gzip, bzip2 and 7zip programs. These tests show that text prepro-cessing improves data compression on maillogs. Improvements of up to 56 percent in compression time and up to 32 percent in compression ratio are achieved. It also shows that a dictionary may be generated and used on other maillogs to yield reductions within half a percent of the results achieved for the maillog used to generate the dictionary.
- Full Text:
- Date Issued: 2009
Extending the NFComms: framework for bulk data transfers
- Nottingham, Alastair, Irwin, Barry V W
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430164 , vital:72670 , https://doi.org/10.1145/1632149.1632170
- Description: Packet analysis is an important aspect of network security, which typi-cally relies on a flexible packet filtering system to extrapolate important packet information from each processed packet. Packet analysis is a computationally intensive, highly parallelisable task, and as such, clas-sification of large packet sets, such as those collected by a network tel-escope, can require significant processing time. We wish to improve upon this, through parallel classification on a GPU. In this paper, we first consider the OpenCL architecture and its applicability to packet analy-sis. We then introduce a number of packet demultiplexing and routing algorithms, and finally present a discussion on how some of these techniques may be leveraged within a GPGPU context to improve packet classification speeds.
- Full Text:
- Date Issued: 2009
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430164 , vital:72670 , https://doi.org/10.1145/1632149.1632170
- Description: Packet analysis is an important aspect of network security, which typi-cally relies on a flexible packet filtering system to extrapolate important packet information from each processed packet. Packet analysis is a computationally intensive, highly parallelisable task, and as such, clas-sification of large packet sets, such as those collected by a network tel-escope, can require significant processing time. We wish to improve upon this, through parallel classification on a GPU. In this paper, we first consider the OpenCL architecture and its applicability to packet analy-sis. We then introduce a number of packet demultiplexing and routing algorithms, and finally present a discussion on how some of these techniques may be leveraged within a GPGPU context to improve packet classification speeds.
- Full Text:
- Date Issued: 2009
gpf: A GPU accelerated packet classification tool
- Nottingham, Alastair, Irwin, Barry V W
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428103 , vital:72486 , https://d1wqtxts1xzle7.cloudfront.net/67098560/gPF_A_GPU_Accelerated_Packet_Classificat20210505-17707-zqqa4s.pdf?1620201469=andresponse-content-disposi-tion=inline%3B+filename%3DgPF_A_GPU_Accelerated_Packet_Classificat.pdfandExpires=1714733902andSignature=NQ~1DjH1XOuqF8u1Yq74XyG7kp~y0II81vu40SuWO2GQhSgToTHC7ynbAoP3MGv9do~bX1PCAp2Z2TCKUVHT7CmYNRxDmnpk5G4kefH--0VotMHVtFnHnf5Q9nhrp0MIgSxEhncOrlRx5K5sRhlLkyfDib3RS8Y8vu~FIPvm1DaZrfqCZSpXKmHh9r1etybRBRtUokzayPtgbhE41bQtW9wI8J4-JTQ9doyNC-JflFuEfUnhv5Phf45lr7TALm8G8nGZBp3z9-nSLZDxls2mvvVIANCdutyOMDnMDadGoqjIB2wYwUy~Fm424ZWj7fF89Ytj9xqIU63H4NFE2HodtQ__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: This paper outlines the design of gPF, a fast packet classifier optimised for parallel execution on current generation commodity graphics hard-ware. Specifically, gPF leverages the potential for both the parallel classi-fication of packets at runtime, and the use of evolutionary mechanisms, in the form of a GP-GPU genetic algorithm to produce contextually opti-mised filter permutations in order to reduce redundancy and improve the per-packet throughput rate of the resultant filter program. This paper demonstrates that these optimisations have significant potential for im-proving packet classification speeds, particularly with regard to bulk pack-et processing and saturated network environments.
- Full Text:
- Date Issued: 2009
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428103 , vital:72486 , https://d1wqtxts1xzle7.cloudfront.net/67098560/gPF_A_GPU_Accelerated_Packet_Classificat20210505-17707-zqqa4s.pdf?1620201469=andresponse-content-disposi-tion=inline%3B+filename%3DgPF_A_GPU_Accelerated_Packet_Classificat.pdfandExpires=1714733902andSignature=NQ~1DjH1XOuqF8u1Yq74XyG7kp~y0II81vu40SuWO2GQhSgToTHC7ynbAoP3MGv9do~bX1PCAp2Z2TCKUVHT7CmYNRxDmnpk5G4kefH--0VotMHVtFnHnf5Q9nhrp0MIgSxEhncOrlRx5K5sRhlLkyfDib3RS8Y8vu~FIPvm1DaZrfqCZSpXKmHh9r1etybRBRtUokzayPtgbhE41bQtW9wI8J4-JTQ9doyNC-JflFuEfUnhv5Phf45lr7TALm8G8nGZBp3z9-nSLZDxls2mvvVIANCdutyOMDnMDadGoqjIB2wYwUy~Fm424ZWj7fF89Ytj9xqIU63H4NFE2HodtQ__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: This paper outlines the design of gPF, a fast packet classifier optimised for parallel execution on current generation commodity graphics hard-ware. Specifically, gPF leverages the potential for both the parallel classi-fication of packets at runtime, and the use of evolutionary mechanisms, in the form of a GP-GPU genetic algorithm to produce contextually opti-mised filter permutations in order to reduce redundancy and improve the per-packet throughput rate of the resultant filter program. This paper demonstrates that these optimisations have significant potential for im-proving packet classification speeds, particularly with regard to bulk pack-et processing and saturated network environments.
- Full Text:
- Date Issued: 2009
Investigating the effect of Genetic Algorithms on Filter Optimisation Within Fast Packet Classifiers
- Nottingham, Alastair, Irwin, Barry V W
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428674 , vital:72528 , https://www.researchgate.net/profile/Marijke-Coet-zee/publication/220803190_A_Framework_for_Web_Services_Security_Policy_Negotiation/links/0fcfd50f7d806aafc8000000/A-Framework-for-Web-Services-Security-Policy-Negotiation.pdf#page=119
- Description: Packet demultiplexing and analysis is a core concern for network secu-rity, and has hence inspired numerous optimisation attempts since their conception in early packet demultiplexing filters such as CSPF and BPF. These optimisations have generally, but not exclusively, focused on improving the speed of packet classification. Despite these im-provements however, packet filters require further optimisation in order to be effectively applied within next generation networks. One identified optimisation is that of reducing the average path length of the global filter by selecting an optimum filter permutation. Since redundant code generation does not change the order of computation, the initial filter order before filter optimisation affects the average path length of the resultant control-flow graph, thus selection of an optimum permutation of filters could provide significant performance improvements. Unfortu-nately, this problem is NP-Complete. In this paper, we consider using Genetic Algorithms to’breed’an optimum filter permutation prior to re-dundant code elimination. Specifically, we aim to evaluate the effec-tiveness of such an optimisation in reducing filter control flow graphs.
- Full Text:
- Date Issued: 2009
Investigating the effect of Genetic Algorithms on Filter Optimisation Within Fast Packet Classifiers
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428674 , vital:72528 , https://www.researchgate.net/profile/Marijke-Coet-zee/publication/220803190_A_Framework_for_Web_Services_Security_Policy_Negotiation/links/0fcfd50f7d806aafc8000000/A-Framework-for-Web-Services-Security-Policy-Negotiation.pdf#page=119
- Description: Packet demultiplexing and analysis is a core concern for network secu-rity, and has hence inspired numerous optimisation attempts since their conception in early packet demultiplexing filters such as CSPF and BPF. These optimisations have generally, but not exclusively, focused on improving the speed of packet classification. Despite these im-provements however, packet filters require further optimisation in order to be effectively applied within next generation networks. One identified optimisation is that of reducing the average path length of the global filter by selecting an optimum filter permutation. Since redundant code generation does not change the order of computation, the initial filter order before filter optimisation affects the average path length of the resultant control-flow graph, thus selection of an optimum permutation of filters could provide significant performance improvements. Unfortu-nately, this problem is NP-Complete. In this paper, we consider using Genetic Algorithms to’breed’an optimum filter permutation prior to re-dundant code elimination. Specifically, we aim to evaluate the effec-tiveness of such an optimisation in reducing filter control flow graphs.
- Full Text:
- Date Issued: 2009
Management, Processing and Analysis of Cryptographic Network Protocols
- Cowie, Bradley, Irwin, Barry V W, Barnett, Richard J
- Authors: Cowie, Bradley , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428687 , vital:72529 , https://d1wqtxts1xzle7.cloudfront.net/30968790/ISSA2009Proceedings-libre.pdf?1393060231=andresponse-content-disposi-tion=inline%3B+filename%3DAN_ANALYSIS_OF_AUTHENTICATION_FOR_PASSIV.pdfandExpires=1714732172andSignature=Ei8RhR2pCSUNGCNE40DugEyFamcyTxPuuRq9gslD~WGlNqPEgG3FL7VFRQCKXhZBWyAfGRjMtBmNDJ7Sjsgex12WxW9Fj8XdpB7Bfz23FuLc-t2YRM-2joKOHJQLxWJlfZiOzxDvVGZeM3zCHj~f3NUeY1~n6PtVtLzNdL8glIg5dzDTTIE6ms2YlxmnO6JvlzQwOWdHaUbHsZzMGOV19UPtBk-UJzHSq3NRyPe4-XNZQLNK-mEEcMGsLk6nkyXIsW2QJ7gtKW1nNkr6EMkAGSOnDai~pSqzb2imspMnlPRigAPPISrNHO79rP51H9bu1WvbRZv1KVkGvM~sRmfl28A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA#page=499
- Description: The use of cryptographic protocols as a means to provide security to web servers and services at the transport layer, by providing both en-cryption and authentication to data transfer, has become increasingly popular. However, we note that it is rather difficult to perform legitimate analysis, intrusion detection and debugging on cryptographic protocols, as the data that passes through is encrypted. In this paper we assume that we have legitimate access to the data and that we have the private key used in transactions and thus we will be able decrypt the data. The objective is to produce a suitable application framework that allows for easy recovery and secure storage of cryptographic keys; including ap-propriate tools to decapsulate traffic and to decrypt live packet streams or precaptured traffic contained in PCAP files. The resultant processing will then be able to provide a clear-text stream which can be used for further analysis.
- Full Text:
- Date Issued: 2009
- Authors: Cowie, Bradley , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428687 , vital:72529 , https://d1wqtxts1xzle7.cloudfront.net/30968790/ISSA2009Proceedings-libre.pdf?1393060231=andresponse-content-disposi-tion=inline%3B+filename%3DAN_ANALYSIS_OF_AUTHENTICATION_FOR_PASSIV.pdfandExpires=1714732172andSignature=Ei8RhR2pCSUNGCNE40DugEyFamcyTxPuuRq9gslD~WGlNqPEgG3FL7VFRQCKXhZBWyAfGRjMtBmNDJ7Sjsgex12WxW9Fj8XdpB7Bfz23FuLc-t2YRM-2joKOHJQLxWJlfZiOzxDvVGZeM3zCHj~f3NUeY1~n6PtVtLzNdL8glIg5dzDTTIE6ms2YlxmnO6JvlzQwOWdHaUbHsZzMGOV19UPtBk-UJzHSq3NRyPe4-XNZQLNK-mEEcMGsLk6nkyXIsW2QJ7gtKW1nNkr6EMkAGSOnDai~pSqzb2imspMnlPRigAPPISrNHO79rP51H9bu1WvbRZv1KVkGvM~sRmfl28A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA#page=499
- Description: The use of cryptographic protocols as a means to provide security to web servers and services at the transport layer, by providing both en-cryption and authentication to data transfer, has become increasingly popular. However, we note that it is rather difficult to perform legitimate analysis, intrusion detection and debugging on cryptographic protocols, as the data that passes through is encrypted. In this paper we assume that we have legitimate access to the data and that we have the private key used in transactions and thus we will be able decrypt the data. The objective is to produce a suitable application framework that allows for easy recovery and secure storage of cryptographic keys; including ap-propriate tools to decapsulate traffic and to decrypt live packet streams or precaptured traffic contained in PCAP files. The resultant processing will then be able to provide a clear-text stream which can be used for further analysis.
- Full Text:
- Date Issued: 2009
Passive Traffic Inspection for Automated Firewall Rule Set Generation
- Pranschke, Georg-Christian, Irwin, Barry V W, Barnett, Richard J
- Authors: Pranschke, Georg-Christian , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428114 , vital:72487 , https://d1wqtxts1xzle7.cloudfront.net/49200001/Automated_Firewall_Rule_Set_Generation_T20160928-12076-1n830lx-libre.pdf?1475130103=andresponse-content-disposi-tion=inline%3B+filename%3DAutomated_Firewall_Rule_Set_Generation_T.pdfandExpires=1714733377andSignature=Q0miMvZNpP7c60n42m54TvFG4hIdujVJBilbpvDKquBk54RPwU22pH6-40mpmOxIFBllKUmOgZfS9SwzuiANn-AZ2bhAELyZmf2bJ5MgceaYH5wnPjX9VzP04C2BACzhO5YutUfwkysburUx-zNdiemSofx2p1DwOszXaJNauYdP8RcHQmFl8aOnkoc3kmU02eKz8WiQISntJtu5Gpo8txP-Z6f1BEzvlVGd432tndhRwpsEVWGW43~oXsdaWQu72S8pTakgKPREqaD7CUHKMXiiUBfuiSj1nFo2n4xZQlFHqbMT7TAYzBPM0GObe~kBe5s2nY6dnOMUKUsSaeTUtqA__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: The introduction of network filters and chokes such as firewalls in exist-ing operational network is often problematic, due to considerations that need to be made to minimise the interruption of existent legitimate traf-fic. This often necessitates the time consuming manual analysis of net-work traffic over a period of time in order to generate and vet the rule bases to minimise disruption of legitimate flows. To improve upon this, a system facilitating network traffic analysis and firewall rule set genera-tion is proposed. The system shall be capable to deal with the ever in-creasing traffic volumes and help to provide and maintain high uptimes. A high level overview of the design of the components is presented. Additions to the system are scoring metrics which may assist the admin-istrator to optimise the rule sets for the most efficient matching of flows, based on traffic volume, frequency or packet count. A third party pack-age-Firewall Builder-is used to target the resultant rule sets to a number of different firewall and network Filtering platforms.
- Full Text:
- Date Issued: 2009
- Authors: Pranschke, Georg-Christian , Irwin, Barry V W , Barnett, Richard J
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428114 , vital:72487 , https://d1wqtxts1xzle7.cloudfront.net/49200001/Automated_Firewall_Rule_Set_Generation_T20160928-12076-1n830lx-libre.pdf?1475130103=andresponse-content-disposi-tion=inline%3B+filename%3DAutomated_Firewall_Rule_Set_Generation_T.pdfandExpires=1714733377andSignature=Q0miMvZNpP7c60n42m54TvFG4hIdujVJBilbpvDKquBk54RPwU22pH6-40mpmOxIFBllKUmOgZfS9SwzuiANn-AZ2bhAELyZmf2bJ5MgceaYH5wnPjX9VzP04C2BACzhO5YutUfwkysburUx-zNdiemSofx2p1DwOszXaJNauYdP8RcHQmFl8aOnkoc3kmU02eKz8WiQISntJtu5Gpo8txP-Z6f1BEzvlVGd432tndhRwpsEVWGW43~oXsdaWQu72S8pTakgKPREqaD7CUHKMXiiUBfuiSj1nFo2n4xZQlFHqbMT7TAYzBPM0GObe~kBe5s2nY6dnOMUKUsSaeTUtqA__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: The introduction of network filters and chokes such as firewalls in exist-ing operational network is often problematic, due to considerations that need to be made to minimise the interruption of existent legitimate traf-fic. This often necessitates the time consuming manual analysis of net-work traffic over a period of time in order to generate and vet the rule bases to minimise disruption of legitimate flows. To improve upon this, a system facilitating network traffic analysis and firewall rule set genera-tion is proposed. The system shall be capable to deal with the ever in-creasing traffic volumes and help to provide and maintain high uptimes. A high level overview of the design of the components is presented. Additions to the system are scoring metrics which may assist the admin-istrator to optimise the rule sets for the most efficient matching of flows, based on traffic volume, frequency or packet count. A third party pack-age-Firewall Builder-is used to target the resultant rule sets to a number of different firewall and network Filtering platforms.
- Full Text:
- Date Issued: 2009
Performance Effects of Concurrent Virtual Machine Execution in VMware Workstation 6
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429966 , vital:72655 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: The recent trend toward virtualized computing both as a means of serv-er consolidation and as a powerful desktop computing tool has lead into a wide variety of studies into the performance of hypervisor products. This study has investigated the scalability of VMware Workstation 6 on the desktop platform. We present comparative performance results for the concurrent execution of a number of virtual machines. A through statistical analysis of the performance results highlights the perfor-mance trends of different numbers of concurrent virtual machines and concludes that VMware workstation can scale in certain contexts. We find that there are different performance benefits dependant on the ap-plication and that memory intensive applications perform less effective-ly than those applications which are IO intensive. We also find that run-ning concurrent virtual machines offers a significant performance de-crease, but that the drop thereafter is less significant.
- Full Text:
- Date Issued: 2009
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429966 , vital:72655 , https://doi.org/10.1007/978-90-481-3660-5_56
- Description: The recent trend toward virtualized computing both as a means of serv-er consolidation and as a powerful desktop computing tool has lead into a wide variety of studies into the performance of hypervisor products. This study has investigated the scalability of VMware Workstation 6 on the desktop platform. We present comparative performance results for the concurrent execution of a number of virtual machines. A through statistical analysis of the performance results highlights the perfor-mance trends of different numbers of concurrent virtual machines and concludes that VMware workstation can scale in certain contexts. We find that there are different performance benefits dependant on the ap-plication and that memory intensive applications perform less effective-ly than those applications which are IO intensive. We also find that run-ning concurrent virtual machines offers a significant performance de-crease, but that the drop thereafter is less significant.
- Full Text:
- Date Issued: 2009
Rich Representation and Visualisation of Time-Series Data
- Kerr, Simon, Foster, Gregory G, Irwin, Barry V W
- Authors: Kerr, Simon , Foster, Gregory G , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428130 , vital:72488 , https://www.researchgate.net/profile/Barry-Ir-win/publication/265821926_Rich_Representation_and_Visualisation_of_Time-Series_Data/links/5548a1350cf26a7bf4daefb1/Rich-Representation-and-Visualisation-of-Time-Series-Data.pdf
- Description: Currently the majority of data is visualized using static graphs and ta-bles. However, static graphs still leave much to be desired and provide only a small insight into trends and changes between values. We pro-pose a move away from purely static representations of data towards a more fluid and understandable environment for data representation. This is achieved through the use of an application which animates time based data. Animating time based data allows one to see nuances within a dataset from a more comprehensive perspective. This is espe-cially useful within the time based data rich telecommunications indus-try. The application comprises of two parts-the backend manages raw data which is then passed to the frontend for animation. A play function allows one to play through a time series. Which creates a fluid and dy-namic environment for exploring data. Both the advantages and disad-vantages of this approach are investigated and an application is intro-duced which can be used to animate and explore datasets.
- Full Text:
- Date Issued: 2009
- Authors: Kerr, Simon , Foster, Gregory G , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428130 , vital:72488 , https://www.researchgate.net/profile/Barry-Ir-win/publication/265821926_Rich_Representation_and_Visualisation_of_Time-Series_Data/links/5548a1350cf26a7bf4daefb1/Rich-Representation-and-Visualisation-of-Time-Series-Data.pdf
- Description: Currently the majority of data is visualized using static graphs and ta-bles. However, static graphs still leave much to be desired and provide only a small insight into trends and changes between values. We pro-pose a move away from purely static representations of data towards a more fluid and understandable environment for data representation. This is achieved through the use of an application which animates time based data. Animating time based data allows one to see nuances within a dataset from a more comprehensive perspective. This is espe-cially useful within the time based data rich telecommunications indus-try. The application comprises of two parts-the backend manages raw data which is then passed to the frontend for animation. A play function allows one to play through a time series. Which creates a fluid and dy-namic environment for exploring data. Both the advantages and disad-vantages of this approach are investigated and an application is intro-duced which can be used to animate and explore datasets.
- Full Text:
- Date Issued: 2009
A Canonical Implementation Of The Advanced Encryption Standard On The Graphics Processing Unit
- Pilkington, Nick, Irwin, Barry V W
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430007 , vital:72659 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/47.pdf
- Description: This paper will present an implementation of the Advanced Encryption Standard (AES) on the graphics processing unit (GPU). It investigates the ease of implementation from first principles and the difficulties encountered. It also presents a performance analysis to evaluate if the GPU is a viable option for a cryptographics platform. The AES implementation is found to yield orders of maginitude increased performance when compared to CPU based implementations. Although the implementation introduces complica-tions, these are quickly becoming mitigated by the growing accessibility pro-vided by general programming on graphics processing units (GPGPU) frameworks like NVIDIA’s Compute Uniform Device Architechture (CUDA) and AMD/ATI’s Close to Metal (CTM).
- Full Text:
- Date Issued: 2008
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430007 , vital:72659 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/47.pdf
- Description: This paper will present an implementation of the Advanced Encryption Standard (AES) on the graphics processing unit (GPU). It investigates the ease of implementation from first principles and the difficulties encountered. It also presents a performance analysis to evaluate if the GPU is a viable option for a cryptographics platform. The AES implementation is found to yield orders of maginitude increased performance when compared to CPU based implementations. Although the implementation introduces complica-tions, these are quickly becoming mitigated by the growing accessibility pro-vided by general programming on graphics processing units (GPGPU) frameworks like NVIDIA’s Compute Uniform Device Architechture (CUDA) and AMD/ATI’s Close to Metal (CTM).
- Full Text:
- Date Issued: 2008
An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428156 , vital:72490 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225058_An_Analysis_of_Network_Scanning_Traffic_as_it_relates_to_Scan-Detec-tion_in_Network_Intrusion_Detection_Systems/links/5b3f21eaa6fdcc8506ffe659/An-Analysis-of-Network-Scanning-Traffic-as-it-relates-to-Scan-Detection-in-Network-Intrusion-Detection-Systems.pdf
- Description: Network Intrusion Detection is, in a modern network, a useful tool to de-tect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan de-tection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner. Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes Uni-versity in which these flaws are being addressed. In particular, this re-search will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into con-sideration the improvements which are identified over the course of the research.
- Full Text:
- Date Issued: 2008
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428156 , vital:72490 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225058_An_Analysis_of_Network_Scanning_Traffic_as_it_relates_to_Scan-Detec-tion_in_Network_Intrusion_Detection_Systems/links/5b3f21eaa6fdcc8506ffe659/An-Analysis-of-Network-Scanning-Traffic-as-it-relates-to-Scan-Detection-in-Network-Intrusion-Detection-Systems.pdf
- Description: Network Intrusion Detection is, in a modern network, a useful tool to de-tect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan de-tection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner. Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes Uni-versity in which these flaws are being addressed. In particular, this re-search will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into con-sideration the improvements which are identified over the course of the research.
- Full Text:
- Date Issued: 2008
An Evaluation Of Scan-Detection Algorithms In Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
- Date Issued: 2008
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
- Date Issued: 2008
An Investigation into the Performance of General Sorting on Graphics Processing Units
- Pilkington, Nick, Irwin, Barry V W
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429881 , vital:72648 , https://doi.org/10.1007/978-1-4020-8741-7_65
- Description: Sorting is a fundamental operation in computing and there is a constant need to push the boundaries of performance with different sorting algo-rithms. With the advent of the programmable graphics pipeline, the par-allel nature of graphics processing units has been exposed allowing programmers to take advantage of it. By transforming the way that data is represented and operated on parallel sorting algorithms can be im-plemented on graphics processing units where previously only graphics processing could be performed. This paradigm of programming exhibits potentially large speedups for algorithms.
- Full Text:
- Date Issued: 2008
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429881 , vital:72648 , https://doi.org/10.1007/978-1-4020-8741-7_65
- Description: Sorting is a fundamental operation in computing and there is a constant need to push the boundaries of performance with different sorting algo-rithms. With the advent of the programmable graphics pipeline, the par-allel nature of graphics processing units has been exposed allowing programmers to take advantage of it. By transforming the way that data is represented and operated on parallel sorting algorithms can be im-plemented on graphics processing units where previously only graphics processing could be performed. This paradigm of programming exhibits potentially large speedups for algorithms.
- Full Text:
- Date Issued: 2008
Guidelines for Constructing Robust Discrete-Time Computer Network Simulations
- Richter, John, Irwin, Barry V W
- Authors: Richter, John , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429896 , vital:72649 , https://doi.org/10.1007/978-1-4020-8737-0_69
- Description: Developing network simulations is a complex task that is often per-formed in research and testing. The components required to build a network simulator are common to many solutions. In order to expedite further simulation development, these components have been outlined and detailed in this paper. The process for generating and using these components is then detailed, and an example of a simulator that has been implemented using this system, is detailed
- Full Text:
- Date Issued: 2008
- Authors: Richter, John , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429896 , vital:72649 , https://doi.org/10.1007/978-1-4020-8737-0_69
- Description: Developing network simulations is a complex task that is often per-formed in research and testing. The components required to build a network simulator are common to many solutions. In order to expedite further simulation development, these components have been outlined and detailed in this paper. The process for generating and using these components is then detailed, and an example of a simulator that has been implemented using this system, is detailed
- Full Text:
- Date Issued: 2008
High level internet scale traffic visualization using hilbert curve mapping
- Irwin, Barry V W, Pilkington, Nick
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Date Issued: 2008
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Date Issued: 2008