A Baseline Numeric Analysis of Network Telescope Data for Network Incident Discovery
- Cowie, Bradley, Irwin, Barry V W
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427971 , vital:72477 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: This paper investigates the value of Network Telescope data as a mechanism for network incident discovery by considering data summa-rization, simple heuristic identification and deviations from previously observed traffic distributions. It is important to note that the traffic ob-served is obtained from a Network Telescope and thus does not expe-rience the same fluctuations or vagaries experienced by normal traffic. The datasets used for this analysis were obtained from a Network Tele-scope for the time period August 2005 to September 2009 which had been allocated a Class-C network address block at Rhodes University. The nature of the datasets were considered in terms of simple statistical measures obtained through data summarization which greatly reduced the processing and observation required to determine whether an inci-dent had occurred. However, this raised issues relating to the time in-terval used for identification of an incident. A brief discussion into statis-tical summaries of Network Telescope data as" good" security metrics is provided. The summaries derived were then used to seek for signs of anomalous network activity. Anomalous activity detected was then rec-onciled by considering incidents that had occurred in the same or simi-lar time interval. Incidents identified included Conficker, Win32. RinBot, DDoS and Norton Netware vulnerabilities. Detection techniques includ-ed identification of rapid growth in packet count, packet size deviations, changes in the composition of the traffic expressed as a ratio of its constituents and changes in the modality of the data. Discussion into the appropriateness of this sort of manual analysis is provided and suggestions towards an automated solution are discussed.
- Full Text:
- Date Issued: 2011
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427971 , vital:72477 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: This paper investigates the value of Network Telescope data as a mechanism for network incident discovery by considering data summa-rization, simple heuristic identification and deviations from previously observed traffic distributions. It is important to note that the traffic ob-served is obtained from a Network Telescope and thus does not expe-rience the same fluctuations or vagaries experienced by normal traffic. The datasets used for this analysis were obtained from a Network Tele-scope for the time period August 2005 to September 2009 which had been allocated a Class-C network address block at Rhodes University. The nature of the datasets were considered in terms of simple statistical measures obtained through data summarization which greatly reduced the processing and observation required to determine whether an inci-dent had occurred. However, this raised issues relating to the time in-terval used for identification of an incident. A brief discussion into statis-tical summaries of Network Telescope data as" good" security metrics is provided. The summaries derived were then used to seek for signs of anomalous network activity. Anomalous activity detected was then rec-onciled by considering incidents that had occurred in the same or simi-lar time interval. Incidents identified included Conficker, Win32. RinBot, DDoS and Norton Netware vulnerabilities. Detection techniques includ-ed identification of rapid growth in packet count, packet size deviations, changes in the composition of the traffic expressed as a ratio of its constituents and changes in the modality of the data. Discussion into the appropriateness of this sort of manual analysis is provided and suggestions towards an automated solution are discussed.
- Full Text:
- Date Issued: 2011
A baseline study of potentially malicious activity across five network telescopes
- Authors: Irwin, Barry V W
- Date: 2013
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429714 , vital:72634 , https://ieeexplore.ieee.org/abstract/document/6568378
- Description: +This paper explores the Internet Background Radiation (IBR) observed across five distinct network telescopes over a 15 month period. These network telescopes consisting of a /24 netblock each and are deployed in IP space administered by TENET, the tertiary education network in South Africa covering three numerically distant /8 network blocks. The differences and similarities in the observed network traffic are explored. Two anecdotal case studies are presented relating to the MS08-067 and MS12-020 vulnerabilities in the Microsoft Windows platforms. The first of these is related to the Conficker worm outbreak in 2008, and traffic targeting 445/tcp remains one of the top constituents of IBR as observed on the telescopes. The case of MS12-020 is of interest, as a long period of scanning activity targeting 3389/tcp, used by the Microsoft RDP service, was observed, with a significant drop on activity relating to the release of the security advisory and patch. Other areas of interest are highlighted, particularly where correlation in scanning activity was observed across the sensors. The paper concludes with some discussion on the application of network telescopes as part of a cyber-defence solution.
- Full Text:
- Date Issued: 2013
- Authors: Irwin, Barry V W
- Date: 2013
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429714 , vital:72634 , https://ieeexplore.ieee.org/abstract/document/6568378
- Description: +This paper explores the Internet Background Radiation (IBR) observed across five distinct network telescopes over a 15 month period. These network telescopes consisting of a /24 netblock each and are deployed in IP space administered by TENET, the tertiary education network in South Africa covering three numerically distant /8 network blocks. The differences and similarities in the observed network traffic are explored. Two anecdotal case studies are presented relating to the MS08-067 and MS12-020 vulnerabilities in the Microsoft Windows platforms. The first of these is related to the Conficker worm outbreak in 2008, and traffic targeting 445/tcp remains one of the top constituents of IBR as observed on the telescopes. The case of MS12-020 is of interest, as a long period of scanning activity targeting 3389/tcp, used by the Microsoft RDP service, was observed, with a significant drop on activity relating to the release of the security advisory and patch. Other areas of interest are highlighted, particularly where correlation in scanning activity was observed across the sensors. The paper concludes with some discussion on the application of network telescopes as part of a cyber-defence solution.
- Full Text:
- Date Issued: 2013
A Canonical Implementation Of The Advanced Encryption Standard On The Graphics Processing Unit
- Pilkington, Nick, Irwin, Barry V W
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430007 , vital:72659 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/47.pdf
- Description: This paper will present an implementation of the Advanced Encryption Standard (AES) on the graphics processing unit (GPU). It investigates the ease of implementation from first principles and the difficulties encountered. It also presents a performance analysis to evaluate if the GPU is a viable option for a cryptographics platform. The AES implementation is found to yield orders of maginitude increased performance when compared to CPU based implementations. Although the implementation introduces complica-tions, these are quickly becoming mitigated by the growing accessibility pro-vided by general programming on graphics processing units (GPGPU) frameworks like NVIDIA’s Compute Uniform Device Architechture (CUDA) and AMD/ATI’s Close to Metal (CTM).
- Full Text:
- Date Issued: 2008
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430007 , vital:72659 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/47.pdf
- Description: This paper will present an implementation of the Advanced Encryption Standard (AES) on the graphics processing unit (GPU). It investigates the ease of implementation from first principles and the difficulties encountered. It also presents a performance analysis to evaluate if the GPU is a viable option for a cryptographics platform. The AES implementation is found to yield orders of maginitude increased performance when compared to CPU based implementations. Although the implementation introduces complica-tions, these are quickly becoming mitigated by the growing accessibility pro-vided by general programming on graphics processing units (GPGPU) frameworks like NVIDIA’s Compute Uniform Device Architechture (CUDA) and AMD/ATI’s Close to Metal (CTM).
- Full Text:
- Date Issued: 2008
A Comparison Of The Resource Requirements Of Snort And Bro In Production Networks
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430040 , vital:72661 , https://www.iadisportal.org/applied-computing-2009-proceedings
- Description: Intrusion Detection is essential in modern networking. However, with the increas-ing load on modern networks, the resource requirements of NIDS are significant. This paper explores and compares the requirements of Snort and Bro, and finds that Snort is more efficient at processing network traffic than Bro. It also finds that both systems are capable of analysing current network loads on commodity hardware, but may be unable to do so for higher bandwidth networks. This is ben-eficial in a South African context due to the increasing international bandwidth that will come online with the launch of the SEACOM Cable, and local projects such as SANREN.
- Full Text:
- Date Issued: 2009
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430040 , vital:72661 , https://www.iadisportal.org/applied-computing-2009-proceedings
- Description: Intrusion Detection is essential in modern networking. However, with the increas-ing load on modern networks, the resource requirements of NIDS are significant. This paper explores and compares the requirements of Snort and Bro, and finds that Snort is more efficient at processing network traffic than Bro. It also finds that both systems are capable of analysing current network loads on commodity hardware, but may be unable to do so for higher bandwidth networks. This is ben-eficial in a South African context due to the increasing international bandwidth that will come online with the launch of the SEACOM Cable, and local projects such as SANREN.
- Full Text:
- Date Issued: 2009
A computer network attack taxonomy and ontology
- Van Heerden, Renier P, Irwin, Barry V W, Burke, Ivan D, Leenen, Louise
- Authors: Van Heerden, Renier P , Irwin, Barry V W , Burke, Ivan D , Leenen, Louise
- Date: 2012
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430064 , vital:72663 , DOI: 10.4018/ijcwt.2012070102
- Description: Computer network attacks differ in the motivation of the entity behind the attack, the execution and the end result. The diversity of attacks has the consequence that no standard classification ex-ists. The benefit of automated classification of attacks, means that an attack could be mitigated accordingly. The authors extend a previous, initial taxonomy of computer network attacks which forms the basis of a proposed network attack ontology in this pa-per. The objective of this ontology is to automate the classifica-tion of a network attack during its early stages. Most published taxonomies present an attack from either the attacker's or defend-er's point of view. The authors' taxonomy presents both these points of view. The framework for an ontology was developed using a core class, the "Attack Scenario", which can be used to characterize and classify computer network attacks.
- Full Text:
- Date Issued: 2012
- Authors: Van Heerden, Renier P , Irwin, Barry V W , Burke, Ivan D , Leenen, Louise
- Date: 2012
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430064 , vital:72663 , DOI: 10.4018/ijcwt.2012070102
- Description: Computer network attacks differ in the motivation of the entity behind the attack, the execution and the end result. The diversity of attacks has the consequence that no standard classification ex-ists. The benefit of automated classification of attacks, means that an attack could be mitigated accordingly. The authors extend a previous, initial taxonomy of computer network attacks which forms the basis of a proposed network attack ontology in this pa-per. The objective of this ontology is to automate the classifica-tion of a network attack during its early stages. Most published taxonomies present an attack from either the attacker's or defend-er's point of view. The authors' taxonomy presents both these points of view. The framework for an ontology was developed using a core class, the "Attack Scenario", which can be used to characterize and classify computer network attacks.
- Full Text:
- Date Issued: 2012
A Digital Forensic investigative model for business organisations
- Forrester, Jock, Irwin, Barry V W
- Authors: Forrester, Jock , Irwin, Barry V W
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430078 , vital:72664 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228783555_A_Digital_Forensic_investigative_model_for_business_organisations/links/53e9c5e80cf28f342f414987/A-Digital-Forensic-investigative-model-for-business-organisations.pdf
- Description: When a digital incident occurs there are generally three courses of ac-tions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. In the case of law enforcement the priority is to secure the crime scene, followed by the identification of evidentiary sources which should be dispatched to a specialist laboratory for analysis. In the case of an inci-dent military (or similar critical infrastructures) infrastructure the primary goal becomes one of risk identification and elimination, followed by re-covery and possible offensive measures. Where financial impact is caused by an incident, and revenue earning potential is adversely af-fected, as in the case of most commercial organisations), root cause analysis, and system remediation is of primary concern, with in-depth analysis of the how and why left until systems have been restored.
- Full Text:
- Date Issued: 2007
- Authors: Forrester, Jock , Irwin, Barry V W
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430078 , vital:72664 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228783555_A_Digital_Forensic_investigative_model_for_business_organisations/links/53e9c5e80cf28f342f414987/A-Digital-Forensic-investigative-model-for-business-organisations.pdf
- Description: When a digital incident occurs there are generally three courses of ac-tions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. In the case of law enforcement the priority is to secure the crime scene, followed by the identification of evidentiary sources which should be dispatched to a specialist laboratory for analysis. In the case of an inci-dent military (or similar critical infrastructures) infrastructure the primary goal becomes one of risk identification and elimination, followed by re-covery and possible offensive measures. Where financial impact is caused by an incident, and revenue earning potential is adversely af-fected, as in the case of most commercial organisations), root cause analysis, and system remediation is of primary concern, with in-depth analysis of the how and why left until systems have been restored.
- Full Text:
- Date Issued: 2007
A Discussion Of Wireless Security Technologies
- Janse van Rensburg, Johanna, Irwin, Barry V W
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W
- Date: 2006
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429852 , vital:72645 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228864029_A_DISCUSSION_OF_WIRELESS_SECURITY_TECHNOLOGIES/links/53e9c5190cf28f342f41492b/A-DISCUSSION-OF-WIRELESS-SECURITY-TECHNOLOGIES.pdf
- Description: The 802.11 standard contains a number of problems, ranging from in-terference, co-existence issues, exposed terminal problems and regula-tions to security. Despite all of these it has become a widely deployed technology as an extension of companies’ networks to provide mobility. In this paper the focus will be on the security issues of 802.11. Several solutions for the deployment of 802.11 security exists today, ranging from WEP, WPA, VPN and 802.11 i, each providing a different level of security. These technologies contain pros and cons which need to be understood in order to implement an appropriate solution suited to a specific scenario.
- Full Text:
- Date Issued: 2006
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W
- Date: 2006
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429852 , vital:72645 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228864029_A_DISCUSSION_OF_WIRELESS_SECURITY_TECHNOLOGIES/links/53e9c5190cf28f342f41492b/A-DISCUSSION-OF-WIRELESS-SECURITY-TECHNOLOGIES.pdf
- Description: The 802.11 standard contains a number of problems, ranging from in-terference, co-existence issues, exposed terminal problems and regula-tions to security. Despite all of these it has become a widely deployed technology as an extension of companies’ networks to provide mobility. In this paper the focus will be on the security issues of 802.11. Several solutions for the deployment of 802.11 security exists today, ranging from WEP, WPA, VPN and 802.11 i, each providing a different level of security. These technologies contain pros and cons which need to be understood in order to implement an appropriate solution suited to a specific scenario.
- Full Text:
- Date Issued: 2006
A framework for DNS based detection and mitigation of malware infections on a network
- Stalmans, Etienne, Irwin, Barry V W
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2011
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429827 , vital:72642 , 10.1109/ISSA.2011.6027531
- Description: Modern botnet trends have lead to the use of IP and domain fast-fluxing to avoid detection and increase resilience. These techniques bypass traditional detection systems such as blacklists and intrusion detection systems. The Domain Name Service (DNS) is one of the most prevalent protocols on modern networks and is essential for the correct operation of many network activities, including botnet activity. For this reason DNS forms the ideal candidate for monitoring, detecting and mit-igating botnet activity. In this paper a system placed at the network edge is developed with the capability to detect fast-flux domains using DNS queries. Multiple domain features were examined to determine which would be most effective in the classification of domains. This is achieved using a C5.0 decision tree classifier and Bayesian statistics, with positive samples being labeled as potentially malicious and nega-tive samples as legitimate domains. The system detects malicious do-main names with a high degree of accuracy, minimising the need for blacklists. Statistical methods, namely Naive Bayesian, Bayesian, Total Variation distance and Probability distribution are applied to detect mali-cious domain names. The detection techniques are tested against sample traffic and it is shown that malicious traffic can be detected with low false positive rates.
- Full Text:
- Date Issued: 2011
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2011
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429827 , vital:72642 , 10.1109/ISSA.2011.6027531
- Description: Modern botnet trends have lead to the use of IP and domain fast-fluxing to avoid detection and increase resilience. These techniques bypass traditional detection systems such as blacklists and intrusion detection systems. The Domain Name Service (DNS) is one of the most prevalent protocols on modern networks and is essential for the correct operation of many network activities, including botnet activity. For this reason DNS forms the ideal candidate for monitoring, detecting and mit-igating botnet activity. In this paper a system placed at the network edge is developed with the capability to detect fast-flux domains using DNS queries. Multiple domain features were examined to determine which would be most effective in the classification of domains. This is achieved using a C5.0 decision tree classifier and Bayesian statistics, with positive samples being labeled as potentially malicious and nega-tive samples as legitimate domains. The system detects malicious do-main names with a high degree of accuracy, minimising the need for blacklists. Statistical methods, namely Naive Bayesian, Bayesian, Total Variation distance and Probability distribution are applied to detect mali-cious domain names. The detection techniques are tested against sample traffic and it is shown that malicious traffic can be detected with low false positive rates.
- Full Text:
- Date Issued: 2011
A Framework for DNS Based Detection of Botnets at the ISP Level
- Stalmans, Etienne, Irwin, Barry V W
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427984 , vital:72478 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622932_A_Framework_for_DNS_Based_Detection_of_Botnets_at_the_ISP_Level/links/5b9a14e1458515310583fc19/A-Framework-for-DNS-Based-Detection-of-Botnets-at-the-ISP-Level.pdf
- Description: The rapid expansion of networks and increase in internet connected devices has lead to a large number of hosts susceptible to virus infec-tion. Infected hosts are controlled by attackers and form so called bot-nets. These botnets are used to steal data, mask malicious activity and perform distributed denial of service attacks. Traditional protection mechanisms rely on host based detection of viruses. These systems are failing due to the rapid increase in the number of vulnerable hosts and attacks that easily bypass detection mechanisms. This paper pro-poses moving protection from the individual hosts to the Internet Ser-vice Provider (ISP), allowing for the detection and prevention of botnet traffic. DNS traffic inspection allows for the development of a lightweight and accurate classifier that has little or no effect on network perfor-mance. By preventing botnet activity at the ISP level, it is hoped that the threat of botnets can largely be mitigated.
- Full Text:
- Date Issued: 2011
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427984 , vital:72478 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622932_A_Framework_for_DNS_Based_Detection_of_Botnets_at_the_ISP_Level/links/5b9a14e1458515310583fc19/A-Framework-for-DNS-Based-Detection-of-Botnets-at-the-ISP-Level.pdf
- Description: The rapid expansion of networks and increase in internet connected devices has lead to a large number of hosts susceptible to virus infec-tion. Infected hosts are controlled by attackers and form so called bot-nets. These botnets are used to steal data, mask malicious activity and perform distributed denial of service attacks. Traditional protection mechanisms rely on host based detection of viruses. These systems are failing due to the rapid increase in the number of vulnerable hosts and attacks that easily bypass detection mechanisms. This paper pro-poses moving protection from the individual hosts to the Internet Ser-vice Provider (ISP), allowing for the detection and prevention of botnet traffic. DNS traffic inspection allows for the development of a lightweight and accurate classifier that has little or no effect on network perfor-mance. By preventing botnet activity at the ISP level, it is hoped that the threat of botnets can largely be mitigated.
- Full Text:
- Date Issued: 2011
A Framework for the Rapid Development of Anomaly Detection Algorithms in Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428644 , vital:72526 , https://www.researchgate.net/profile/Johan-Van-Niekerk-2/publication/220803295_E-mail_Security_awareness_at_Nelson_Mandela_Metropolitan_University_Registrar's_Division/links/0deec51909304b0ed8000000/E-mail-Security-awareness-at-Nelson-Mandela-Metropolitan-University-Registrars-Division.pdf#page=289
- Description: Most current Network Intrusion Detection Systems (NIDS) perform de-tection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the sys-tem to deploy new algorithms.
- Full Text:
- Date Issued: 2009
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428644 , vital:72526 , https://www.researchgate.net/profile/Johan-Van-Niekerk-2/publication/220803295_E-mail_Security_awareness_at_Nelson_Mandela_Metropolitan_University_Registrar's_Division/links/0deec51909304b0ed8000000/E-mail-Security-awareness-at-Nelson-Mandela-Metropolitan-University-Registrars-Division.pdf#page=289
- Description: Most current Network Intrusion Detection Systems (NIDS) perform de-tection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the sys-tem to deploy new algorithms.
- Full Text:
- Date Issued: 2009
A Framework for the Static Analysis of Malware focusing on Signal Processing Techniques
- Zeisberger, Sascha, Irwin, Barry V W
- Authors: Zeisberger, Sascha , Irwin, Barry V W
- Date: 2012
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427914 , vital:72473 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622833_A_Framework_for_the_Static_Analysis_of_Mal-ware_focusing_on_Signal_Processing_Techniques/links/5b9a1396a6fdcc59bf8dfc87/A-Framework-for-the-Static-Analysis-of-Malware-focusing-on-Signal-Processing-Techniques.pdf
- Description: The information gathered through conventional static analysis of malicious binaries has become increasingly limited. This is due to the rate at which new malware is being created as well as the increasingly complex methods employed to obfuscating these binaries. This paper discusses the development of a framework to analyse malware using signal processing techniques, the initial iteration of which focuses on common audio processing techniques such as Fourier transforms. The aim of this research is to identify characteristics of malware and the encryption methods used to obfuscate malware. This is achieved through the analysis of their binary structure, potentially providing an additional metric for autonomously fingerprinting malware.
- Full Text:
- Date Issued: 2012
- Authors: Zeisberger, Sascha , Irwin, Barry V W
- Date: 2012
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427914 , vital:72473 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622833_A_Framework_for_the_Static_Analysis_of_Mal-ware_focusing_on_Signal_Processing_Techniques/links/5b9a1396a6fdcc59bf8dfc87/A-Framework-for-the-Static-Analysis-of-Malware-focusing-on-Signal-Processing-Techniques.pdf
- Description: The information gathered through conventional static analysis of malicious binaries has become increasingly limited. This is due to the rate at which new malware is being created as well as the increasingly complex methods employed to obfuscating these binaries. This paper discusses the development of a framework to analyse malware using signal processing techniques, the initial iteration of which focuses on common audio processing techniques such as Fourier transforms. The aim of this research is to identify characteristics of malware and the encryption methods used to obfuscate malware. This is achieved through the analysis of their binary structure, potentially providing an additional metric for autonomously fingerprinting malware.
- Full Text:
- Date Issued: 2012
A fuzz testing framework for evaluating and securing network applications
- Zeisberger, Sascha, Irwin, Barry V W
- Authors: Zeisberger, Sascha , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428000 , vital:72479 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622655_A_Fuzz_Testing_Framework_for_Evaluating_and_Securing_Network_Applications/links/5b9a153b92851c4ba8181b0d/A-Fuzz-Testing-Framework-for-Evaluating-and-Securing-Network-Applications.pdf
- Description: Research has shown that fuzz-testing is an effective means of increasing the quality and security of software and systems. This project proposes the im-plementation of a testing framework based on numerous fuzz-testing tech-niques. The framework will allow a user to detect errors in applications and locate critical areas in the applications that are responsible for the detected errors. The aim is to provide an all-encompassing testing framework that will allow a developer to quickly and effectively deploy fuzz tests on an applica-tion and ensure a higher level of quality control before deployment.
- Full Text:
- Date Issued: 2011
- Authors: Zeisberger, Sascha , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428000 , vital:72479 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622655_A_Fuzz_Testing_Framework_for_Evaluating_and_Securing_Network_Applications/links/5b9a153b92851c4ba8181b0d/A-Fuzz-Testing-Framework-for-Evaluating-and-Securing-Network-Applications.pdf
- Description: Research has shown that fuzz-testing is an effective means of increasing the quality and security of software and systems. This project proposes the im-plementation of a testing framework based on numerous fuzz-testing tech-niques. The framework will allow a user to detect errors in applications and locate critical areas in the applications that are responsible for the detected errors. The aim is to provide an all-encompassing testing framework that will allow a developer to quickly and effectively deploy fuzz tests on an applica-tion and ensure a higher level of quality control before deployment.
- Full Text:
- Date Issued: 2011
A geopolitical analysis of long term internet network telescope traffic
- Irwin, Barry V W, Pilkington, Nick, Barnett, Richard J, Friedman, Blake
- Authors: Irwin, Barry V W , Pilkington, Nick , Barnett, Richard J , Friedman, Blake
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428142 , vital:72489 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228848896_A_geopolitical_analysis_of_long_term_internet_network_telescope_traffic/links/53e9c5190cf2fb1b9b672aee/A-geopolitical-analysis-of-long-term-internet-network-telescope-traffic.pdf
- Description: This paper presents results form the analysis of twelve months of net-work telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are high-lighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Af-rica in particular) was also found to be surprisingly high. This unex-pected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are present-ed. It is found that a country with a high penetration of broadband con-nectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
- Full Text:
- Date Issued: 2007
- Authors: Irwin, Barry V W , Pilkington, Nick , Barnett, Richard J , Friedman, Blake
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428142 , vital:72489 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228848896_A_geopolitical_analysis_of_long_term_internet_network_telescope_traffic/links/53e9c5190cf2fb1b9b672aee/A-geopolitical-analysis-of-long-term-internet-network-telescope-traffic.pdf
- Description: This paper presents results form the analysis of twelve months of net-work telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are high-lighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Af-rica in particular) was also found to be surprisingly high. This unex-pected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are present-ed. It is found that a country with a high penetration of broadband con-nectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
- Full Text:
- Date Issued: 2007
A high-level architecture for efficient packet trace analysis on gpu co-processors
- Nottingham, Alastair, Irwin, Barry V W
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2013
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429572 , vital:72623 , 10.1109/ISSA.2013.6641052
- Description: This paper proposes a high-level architecture to support efficient, massively parallel packet classification, filtering and analysis using commodity Graphics Processing Unit (GPU) hardware. The proposed architecture aims to provide a flexible and efficient parallel packet processing and analysis framework, supporting complex programmable filtering, data mining operations, statistical analysis functions and traffic visualisation, with minimal CPU overhead. In particular, this framework aims to provide a robust set of high-speed analysis functionality, in order to dramatically reduce the time required to process and analyse extremely large network traces. This architecture derives from initial research, which has shown GPU co-processors to be effective in accelerating packet classification to up to tera-bit speeds with minimal CPU overhead, far exceeding the bandwidth capacity between standard long term storage and the GPU device. This paper provides a high-level overview of the proposed architecture and its primary components, motivated by the results of prior research in the field.
- Full Text:
- Date Issued: 2013
- Authors: Nottingham, Alastair , Irwin, Barry V W
- Date: 2013
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429572 , vital:72623 , 10.1109/ISSA.2013.6641052
- Description: This paper proposes a high-level architecture to support efficient, massively parallel packet classification, filtering and analysis using commodity Graphics Processing Unit (GPU) hardware. The proposed architecture aims to provide a flexible and efficient parallel packet processing and analysis framework, supporting complex programmable filtering, data mining operations, statistical analysis functions and traffic visualisation, with minimal CPU overhead. In particular, this framework aims to provide a robust set of high-speed analysis functionality, in order to dramatically reduce the time required to process and analyse extremely large network traces. This architecture derives from initial research, which has shown GPU co-processors to be effective in accelerating packet classification to up to tera-bit speeds with minimal CPU overhead, far exceeding the bandwidth capacity between standard long term storage and the GPU device. This paper provides a high-level overview of the proposed architecture and its primary components, motivated by the results of prior research in the field.
- Full Text:
- Date Issued: 2013
A kernel-driven framework for high performance internet routing simulation
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2013
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429585 , vital:72624 , 10.1109/ISSA.2013.6641048
- Description: The ability to provide the simulation of packets traversing an internet path is an integral part of providing realistic simulations for network training, and cyber defence exercises. This paper builds on previous work, and considers an in-kernel approach to solving the routing simulation problem. The inkernel approach is anticipated to allow the framework to be able to achieve throughput rates of 1GB/s or higher using commodity hardware. Processes that run outside the context of the kernel of most operating system require context switching to access hardware and kernel modules. This leads to considerable delays in the processes, such as network simulators, that frequently access hardware such as hard disk accesses and network packet handling. To mitigate this problem, as experienced with earlier implementations, this research looks towards implementing a kernel module to handle network routing and simulation within a UNIX based system. This would remove delays incurred from context switching and allows for direct access to the hardware components of the host.
- Full Text:
- Date Issued: 2013
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2013
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429585 , vital:72624 , 10.1109/ISSA.2013.6641048
- Description: The ability to provide the simulation of packets traversing an internet path is an integral part of providing realistic simulations for network training, and cyber defence exercises. This paper builds on previous work, and considers an in-kernel approach to solving the routing simulation problem. The inkernel approach is anticipated to allow the framework to be able to achieve throughput rates of 1GB/s or higher using commodity hardware. Processes that run outside the context of the kernel of most operating system require context switching to access hardware and kernel modules. This leads to considerable delays in the processes, such as network simulators, that frequently access hardware such as hard disk accesses and network packet handling. To mitigate this problem, as experienced with earlier implementations, this research looks towards implementing a kernel module to handle network routing and simulation within a UNIX based system. This would remove delays incurred from context switching and allows for direct access to the hardware components of the host.
- Full Text:
- Date Issued: 2013
A multi-threading approach to secure VERIFYPIN
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
A netFlow scoring framework for incident detection
- Sweeney, Michael, Irwin, Barry V W
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
A network telescope perspective of the Conficker outbreak
- Authors: Irwin, Barry V W
- Date: 2012
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429728 , vital:72635 , 10.1109/ISSA.2012.6320455
- Description: This paper discusses a dataset of some 16 million packets targeting port 445/tcp collected by a network telescope utilising a /24 netblock in South African IP address space. An initial overview of the collected data is provided. This is followed by a detailed analysis of the packet characteristics observed, including size and TTL. The peculiarities of the observed target selection and the results of the flaw in the Conficker worm's propagation algorithm are presented. An analysis of the 4 million observed source hosts is reported by grouped by both packet counts and the number of distinct hosts per network address block. Address blocks of size /8, 16 and 24 are used for groupings. The localisation, by geographic region and numerical proximity, of high ranking aggregate netblocks is highlighted. The paper concludes with some overall analyses, and consideration of the application of network telescopes to the monitoring of such outbreaks in the future.
- Full Text:
- Date Issued: 2012
- Authors: Irwin, Barry V W
- Date: 2012
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429728 , vital:72635 , 10.1109/ISSA.2012.6320455
- Description: This paper discusses a dataset of some 16 million packets targeting port 445/tcp collected by a network telescope utilising a /24 netblock in South African IP address space. An initial overview of the collected data is provided. This is followed by a detailed analysis of the packet characteristics observed, including size and TTL. The peculiarities of the observed target selection and the results of the flaw in the Conficker worm's propagation algorithm are presented. An analysis of the 4 million observed source hosts is reported by grouped by both packet counts and the number of distinct hosts per network address block. Address blocks of size /8, 16 and 24 are used for groupings. The localisation, by geographic region and numerical proximity, of high ranking aggregate netblocks is highlighted. The paper concludes with some overall analyses, and consideration of the application of network telescopes to the monitoring of such outbreaks in the future.
- Full Text:
- Date Issued: 2012
A privacy and security threat assessment framework for consumer health wearables
- Mnjama, Javan, Foster, Gregory G, Irwin, Barry V W
- Authors: Mnjama, Javan , Foster, Gregory G , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429217 , vital:72568 , https://ieeexplore.ieee.org/abstract/document/8251776
- Description: Health data is important as it provides an individual with knowledge of the factors needed to be improved for oneself. The development of fitness trackers and their associated software aid consumers to understand the manner in which they may improve their physical wellness. These devices are capable of collecting health data for a consumer such sleeping patterns, heart rate readings or the number of steps taken by an individual. Although, this information is very beneficial to guide a consumer to a better healthier state, it has been identified that they have privacy and security concerns. Privacy and Security are of great concern for fitness trackers and their associated applications as protecting health data is of critical importance. This is so, as health data is one of the highly sort after information by cyber criminals. Fitness trackers and their associated applications have been identified to contain privacy and security concerns that places the health data of consumers at risk to intruders. As the study of Consumer Health continues to grow it is vital to understand the elements that are needed to better protect the health information of a consumer. This research paper therefore provides a conceptual threat assessment framework that can be used to identify the elements needed to better secure Consumer Health Wearables. These elements consist of six core elements from the CIA triad and Microsoft STRIDE framework. Fourteen vulnerabilities were further discovered that were classified within these six core elements. Through this, better guidance can be achieved to improve the privacy and security of Consumer Health Wearables.
- Full Text:
- Date Issued: 2017
- Authors: Mnjama, Javan , Foster, Gregory G , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429217 , vital:72568 , https://ieeexplore.ieee.org/abstract/document/8251776
- Description: Health data is important as it provides an individual with knowledge of the factors needed to be improved for oneself. The development of fitness trackers and their associated software aid consumers to understand the manner in which they may improve their physical wellness. These devices are capable of collecting health data for a consumer such sleeping patterns, heart rate readings or the number of steps taken by an individual. Although, this information is very beneficial to guide a consumer to a better healthier state, it has been identified that they have privacy and security concerns. Privacy and Security are of great concern for fitness trackers and their associated applications as protecting health data is of critical importance. This is so, as health data is one of the highly sort after information by cyber criminals. Fitness trackers and their associated applications have been identified to contain privacy and security concerns that places the health data of consumers at risk to intruders. As the study of Consumer Health continues to grow it is vital to understand the elements that are needed to better protect the health information of a consumer. This research paper therefore provides a conceptual threat assessment framework that can be used to identify the elements needed to better secure Consumer Health Wearables. These elements consist of six core elements from the CIA triad and Microsoft STRIDE framework. Fourteen vulnerabilities were further discovered that were classified within these six core elements. Through this, better guidance can be achieved to improve the privacy and security of Consumer Health Wearables.
- Full Text:
- Date Issued: 2017
A review of current DNS TTL practices
- Van Zyl, Ignus, Rudman, Lauren, Irwin, Barry V W
- Authors: Van Zyl, Ignus , Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427813 , vital:72464 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622760_A_review_of_current_DNS_TTL_practices/links/5b9a16e292851c4ba8181b7f/A-review-of-current-DNS-TTL-practices.pdf
- Description: This paper provides insight into legitimate DNS domain Time to Live (TTL) activity captured over two live caching servers from the period January to June 2014. DNS TTL practices are identified and compared between frequently queried domains, with respect to the caching servers. A breakdown of TTL practices by Resource Record type is also given, as well as an analysis on the TTL choices of the most frequent Top Level Domains. An analysis of anomalous TTL values with respect to the gathered data is also presented.
- Full Text:
- Date Issued: 2015
- Authors: Van Zyl, Ignus , Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427813 , vital:72464 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622760_A_review_of_current_DNS_TTL_practices/links/5b9a16e292851c4ba8181b7f/A-review-of-current-DNS-TTL-practices.pdf
- Description: This paper provides insight into legitimate DNS domain Time to Live (TTL) activity captured over two live caching servers from the period January to June 2014. DNS TTL practices are identified and compared between frequently queried domains, with respect to the caching servers. A breakdown of TTL practices by Resource Record type is also given, as well as an analysis on the TTL choices of the most frequent Top Level Domains. An analysis of anomalous TTL values with respect to the gathered data is also presented.
- Full Text:
- Date Issued: 2015