An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428156 , vital:72490 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225058_An_Analysis_of_Network_Scanning_Traffic_as_it_relates_to_Scan-Detec-tion_in_Network_Intrusion_Detection_Systems/links/5b3f21eaa6fdcc8506ffe659/An-Analysis-of-Network-Scanning-Traffic-as-it-relates-to-Scan-Detection-in-Network-Intrusion-Detection-Systems.pdf
- Description: Network Intrusion Detection is, in a modern network, a useful tool to de-tect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan de-tection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner. Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes Uni-versity in which these flaws are being addressed. In particular, this re-search will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into con-sideration the improvements which are identified over the course of the research.
- Full Text:
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428156 , vital:72490 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225058_An_Analysis_of_Network_Scanning_Traffic_as_it_relates_to_Scan-Detec-tion_in_Network_Intrusion_Detection_Systems/links/5b3f21eaa6fdcc8506ffe659/An-Analysis-of-Network-Scanning-Traffic-as-it-relates-to-Scan-Detection-in-Network-Intrusion-Detection-Systems.pdf
- Description: Network Intrusion Detection is, in a modern network, a useful tool to de-tect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan de-tection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner. Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes Uni-versity in which these flaws are being addressed. In particular, this re-search will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into con-sideration the improvements which are identified over the course of the research.
- Full Text:
An Evaluation Of Scan-Detection Algorithms In Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
An Investigation into the Performance of General Sorting on Graphics Processing Units
- Pilkington, Nick, Irwin, Barry V W
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429881 , vital:72648 , https://doi.org/10.1007/978-1-4020-8741-7_65
- Description: Sorting is a fundamental operation in computing and there is a constant need to push the boundaries of performance with different sorting algo-rithms. With the advent of the programmable graphics pipeline, the par-allel nature of graphics processing units has been exposed allowing programmers to take advantage of it. By transforming the way that data is represented and operated on parallel sorting algorithms can be im-plemented on graphics processing units where previously only graphics processing could be performed. This paradigm of programming exhibits potentially large speedups for algorithms.
- Full Text:
- Authors: Pilkington, Nick , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429881 , vital:72648 , https://doi.org/10.1007/978-1-4020-8741-7_65
- Description: Sorting is a fundamental operation in computing and there is a constant need to push the boundaries of performance with different sorting algo-rithms. With the advent of the programmable graphics pipeline, the par-allel nature of graphics processing units has been exposed allowing programmers to take advantage of it. By transforming the way that data is represented and operated on parallel sorting algorithms can be im-plemented on graphics processing units where previously only graphics processing could be performed. This paradigm of programming exhibits potentially large speedups for algorithms.
- Full Text:
Guidelines for Constructing Robust Discrete-Time Computer Network Simulations
- Richter, John, Irwin, Barry V W
- Authors: Richter, John , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429896 , vital:72649 , https://doi.org/10.1007/978-1-4020-8737-0_69
- Description: Developing network simulations is a complex task that is often per-formed in research and testing. The components required to build a network simulator are common to many solutions. In order to expedite further simulation development, these components have been outlined and detailed in this paper. The process for generating and using these components is then detailed, and an example of a simulator that has been implemented using this system, is detailed
- Full Text:
- Authors: Richter, John , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429896 , vital:72649 , https://doi.org/10.1007/978-1-4020-8737-0_69
- Description: Developing network simulations is a complex task that is often per-formed in research and testing. The components required to build a network simulator are common to many solutions. In order to expedite further simulation development, these components have been outlined and detailed in this paper. The process for generating and using these components is then detailed, and an example of a simulator that has been implemented using this system, is detailed
- Full Text:
High level internet scale traffic visualization using hilbert curve mapping
- Irwin, Barry V W, Pilkington, Nick
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
- Authors: Irwin, Barry V W , Pilkington, Nick
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429911 , vital:72650 , https://doi.org/10.1007/978-3-540-78243-8_10
- Description: A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data col-lected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visual-ization space, the concept of nearness between nu-merically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of fu-ture extensions proposed.
- Full Text:
Location and mapping of 2.4 GHz RF transmitters
- Wells, David D, Siebörger, Ingrid G, Irwin, Barry V W
- Authors: Wells, David D , Siebörger, Ingrid G , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: Conference paper
- Identifier: vital:6604 , http://hdl.handle.net/10962/d1009324
- Description: This paper describes the use of a MetaGeek WiSpy dongle in conjunction with custom developed client-server software for the accurate identication of Wireless nodes within an organisation. The MetaGeek WiSpy dongle together with the custom developed software allow for the determination of the positions of Wi-Fi transceivers to within a few meters, which can be helpful in reducing the area for physical searches in the event of rogue units. This paper describes the tool and methodology for a site survey as a component that can be used in organisations wishing to audit their environments for wireless networks. The tool produced from this project, the WiSpy Signal Source Mapping Tool, is a three part application based on a client-server architecture. One part interfaces with a low cost 2.4 GHz spectrum analyser, another stores the data collected from all the spectrum analysers and the last part interprets the data to provide a graphical overview of the Wi-Fi network being analysed. The location of the spectrum analysers are entered as GPS points, and the tool can interface with a GPS device to automatically update its geographical location. The graphical representation of the 2.4 GHz spectrum populated with Wi-Fi devices (Wi-Fi network) provided a fairly accurate method in locating and tracking 2.4 GHz devices. Accuracy of the WiSpy Signal Source Mapping Tool is hindered by obstructions or interferences within the area or non line of sight.
- Full Text:
- Authors: Wells, David D , Siebörger, Ingrid G , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: Conference paper
- Identifier: vital:6604 , http://hdl.handle.net/10962/d1009324
- Description: This paper describes the use of a MetaGeek WiSpy dongle in conjunction with custom developed client-server software for the accurate identication of Wireless nodes within an organisation. The MetaGeek WiSpy dongle together with the custom developed software allow for the determination of the positions of Wi-Fi transceivers to within a few meters, which can be helpful in reducing the area for physical searches in the event of rogue units. This paper describes the tool and methodology for a site survey as a component that can be used in organisations wishing to audit their environments for wireless networks. The tool produced from this project, the WiSpy Signal Source Mapping Tool, is a three part application based on a client-server architecture. One part interfaces with a low cost 2.4 GHz spectrum analyser, another stores the data collected from all the spectrum analysers and the last part interprets the data to provide a graphical overview of the Wi-Fi network being analysed. The location of the spectrum analysers are entered as GPS points, and the tool can interface with a GPS device to automatically update its geographical location. The graphical representation of the 2.4 GHz spectrum populated with Wi-Fi devices (Wi-Fi network) provided a fairly accurate method in locating and tracking 2.4 GHz devices. Accuracy of the WiSpy Signal Source Mapping Tool is hindered by obstructions or interferences within the area or non line of sight.
- Full Text:
Mapping the location of 2.4 GHz transmitters to achieve optimal usage of an IEEE 802.11 network
- Wells, David D, Siebörger, Ingrid G, Irwin, Barry V W
- Authors: Wells, David D , Siebörger, Ingrid G , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: Conference paper
- Identifier: vital:6605 , http://hdl.handle.net/10962/d1009325
- Description: This paper describes the use of a low cost 2.4 GHz spectrum analyser, the MetaGeek WiSpy device, in conjunction with custom developed client-server software for the accurate identification of 2.4 GHz transmitters within a given area. The WiSpy dongle together with the custom developed software allow for determination of the positions of Wi-Fi transmitters to within a few meters, which can be helpful in reducing the work load for physical searches in the process of surveying the Wi-Fi network and geographical area. This paper describes the tool and methodology for a site survey as a component that can be used in organisations wishing to audit their environments for Wi-Fi networks. The tool produced from this project, the WiSpy Signal Source Mapping Tool, is a three part application based on a client-server architecture. One part interfaces with a low cost 2.4 GHz spectrum analyser, another stores the data collected from all the spectrum analysers and the third part interprets the data to provide a graphical overview of the Wi-Fi network being analysed. The location of the spectrum analysers are entered as GPS points, and the tool can interface with a GPS device to automatically update its geographical location. The graphical representation of the 2.4 GHz spectrum populated with Wi-Fi devices (Wi-Fi network) provided a fairly accurate method in locating and tracking 2.4 GHz devices. Accuracy of the WiSpy Signal Source Mapping Tool is hindered by obstructions, interferences within the area or non line of sight.
- Full Text:
- Authors: Wells, David D , Siebörger, Ingrid G , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: Conference paper
- Identifier: vital:6605 , http://hdl.handle.net/10962/d1009325
- Description: This paper describes the use of a low cost 2.4 GHz spectrum analyser, the MetaGeek WiSpy device, in conjunction with custom developed client-server software for the accurate identification of 2.4 GHz transmitters within a given area. The WiSpy dongle together with the custom developed software allow for determination of the positions of Wi-Fi transmitters to within a few meters, which can be helpful in reducing the work load for physical searches in the process of surveying the Wi-Fi network and geographical area. This paper describes the tool and methodology for a site survey as a component that can be used in organisations wishing to audit their environments for Wi-Fi networks. The tool produced from this project, the WiSpy Signal Source Mapping Tool, is a three part application based on a client-server architecture. One part interfaces with a low cost 2.4 GHz spectrum analyser, another stores the data collected from all the spectrum analysers and the third part interprets the data to provide a graphical overview of the Wi-Fi network being analysed. The location of the spectrum analysers are entered as GPS points, and the tool can interface with a GPS device to automatically update its geographical location. The graphical representation of the 2.4 GHz spectrum populated with Wi-Fi devices (Wi-Fi network) provided a fairly accurate method in locating and tracking 2.4 GHz devices. Accuracy of the WiSpy Signal Source Mapping Tool is hindered by obstructions, interferences within the area or non line of sight.
- Full Text:
Spam Construction Trends
- Irwin, Barry V W, Friedman, Blake
- Authors: Irwin, Barry V W , Friedman, Blake
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428762 , vital:72534 , https://www.researchgate.net/profile/Barry-Ir-win/publication/220803159_Spam_Construction_Trends/links/53fc76bd0cf2dca8ffff22fb/Spam-Construction-Trends.pdf
- Description: This paper replicates and extends Observed Trends in Spam Construction Tech-niques: A Case Study of Spam Evolution. A corpus of 169,274 spam email was col-lected over a period of five years. Each spam email was tested for construction techniques using SpamAssassin’s spamicity tests. The results of these tests were col-lected in a database. Formal definitions of Pu and Webb’s co-existence, extinction and complex trends were developed and applied to the results within the database. A comparison of the Spam Evolution Study and this paper’s results took place to de-termine the relevance of the trends. A geolocation analysis was conducted on the corpus, as an extension, to determine the major geographic sources of the corpus.
- Full Text:
- Authors: Irwin, Barry V W , Friedman, Blake
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428762 , vital:72534 , https://www.researchgate.net/profile/Barry-Ir-win/publication/220803159_Spam_Construction_Trends/links/53fc76bd0cf2dca8ffff22fb/Spam-Construction-Trends.pdf
- Description: This paper replicates and extends Observed Trends in Spam Construction Tech-niques: A Case Study of Spam Evolution. A corpus of 169,274 spam email was col-lected over a period of five years. Each spam email was tested for construction techniques using SpamAssassin’s spamicity tests. The results of these tests were col-lected in a database. Formal definitions of Pu and Webb’s co-existence, extinction and complex trends were developed and applied to the results within the database. A comparison of the Spam Evolution Study and this paper’s results took place to de-termine the relevance of the trends. A geolocation analysis was conducted on the corpus, as an extension, to determine the major geographic sources of the corpus.
- Full Text:
Towards a taxonomy of network scanning techniques
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430310 , vital:72682 , https://doi.org/10.1145/1456659.1456660
- Description: Network scanning is a common reconnaissance activity in network in-trusion. Despite this, it's classification remains vague and detection sys-tems in current Network Intrusion Detection Systems are incapable of detecting many forms of scanning traffic. This paper presents a classi-fication of network scanning and illustrates how complex and varied this activity is. The presented classification extends previous, well known, definitions of scanning traffic in a manner which reflects this complexity.
- Full Text:
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430310 , vital:72682 , https://doi.org/10.1145/1456659.1456660
- Description: Network scanning is a common reconnaissance activity in network in-trusion. Despite this, it's classification remains vague and detection sys-tems in current Network Intrusion Detection Systems are incapable of detecting many forms of scanning traffic. This paper presents a classi-fication of network scanning and illustrates how complex and varied this activity is. The presented classification extends previous, well known, definitions of scanning traffic in a manner which reflects this complexity.
- Full Text:
Using inetvis to evaluate snort and bro scan detection on a network telescope
- Irwin, Barry V W, van Riel, J P
- Authors: Irwin, Barry V W , van Riel, J P
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429981 , vital:72656 , https://doi.org/10.1007/978-3-540-78243-8_17
- Description: This paper presents an investigative analysis of net-work scans and scan detection algorithms. Visualisa-tion is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. Scan detection algorithms used by the Snort and Bro intrusion detection systems are cri-tiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought by analysing the detection algorithms. The Snort and Bro algorithms are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.
- Full Text:
- Authors: Irwin, Barry V W , van Riel, J P
- Date: 2008
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429981 , vital:72656 , https://doi.org/10.1007/978-3-540-78243-8_17
- Description: This paper presents an investigative analysis of net-work scans and scan detection algorithms. Visualisa-tion is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. Scan detection algorithms used by the Snort and Bro intrusion detection systems are cri-tiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought by analysing the detection algorithms. The Snort and Bro algorithms are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.
- Full Text:
A Digital Forensic investigative model for business organisations
- Forrester, Jock, Irwin, Barry V W
- Authors: Forrester, Jock , Irwin, Barry V W
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430078 , vital:72664 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228783555_A_Digital_Forensic_investigative_model_for_business_organisations/links/53e9c5e80cf28f342f414987/A-Digital-Forensic-investigative-model-for-business-organisations.pdf
- Description: When a digital incident occurs there are generally three courses of ac-tions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. In the case of law enforcement the priority is to secure the crime scene, followed by the identification of evidentiary sources which should be dispatched to a specialist laboratory for analysis. In the case of an inci-dent military (or similar critical infrastructures) infrastructure the primary goal becomes one of risk identification and elimination, followed by re-covery and possible offensive measures. Where financial impact is caused by an incident, and revenue earning potential is adversely af-fected, as in the case of most commercial organisations), root cause analysis, and system remediation is of primary concern, with in-depth analysis of the how and why left until systems have been restored.
- Full Text:
- Authors: Forrester, Jock , Irwin, Barry V W
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430078 , vital:72664 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228783555_A_Digital_Forensic_investigative_model_for_business_organisations/links/53e9c5e80cf28f342f414987/A-Digital-Forensic-investigative-model-for-business-organisations.pdf
- Description: When a digital incident occurs there are generally three courses of ac-tions that are taken, generally dependant on the type of organisation within which the incident occurs, or which is responding the event. In the case of law enforcement the priority is to secure the crime scene, followed by the identification of evidentiary sources which should be dispatched to a specialist laboratory for analysis. In the case of an inci-dent military (or similar critical infrastructures) infrastructure the primary goal becomes one of risk identification and elimination, followed by re-covery and possible offensive measures. Where financial impact is caused by an incident, and revenue earning potential is adversely af-fected, as in the case of most commercial organisations), root cause analysis, and system remediation is of primary concern, with in-depth analysis of the how and why left until systems have been restored.
- Full Text:
A geopolitical analysis of long term internet network telescope traffic
- Irwin, Barry V W, Pilkington, Nick, Barnett, Richard J, Friedman, Blake
- Authors: Irwin, Barry V W , Pilkington, Nick , Barnett, Richard J , Friedman, Blake
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428142 , vital:72489 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228848896_A_geopolitical_analysis_of_long_term_internet_network_telescope_traffic/links/53e9c5190cf2fb1b9b672aee/A-geopolitical-analysis-of-long-term-internet-network-telescope-traffic.pdf
- Description: This paper presents results form the analysis of twelve months of net-work telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are high-lighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Af-rica in particular) was also found to be surprisingly high. This unex-pected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are present-ed. It is found that a country with a high penetration of broadband con-nectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
- Full Text:
- Authors: Irwin, Barry V W , Pilkington, Nick , Barnett, Richard J , Friedman, Blake
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428142 , vital:72489 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228848896_A_geopolitical_analysis_of_long_term_internet_network_telescope_traffic/links/53e9c5190cf2fb1b9b672aee/A-geopolitical-analysis-of-long-term-internet-network-telescope-traffic.pdf
- Description: This paper presents results form the analysis of twelve months of net-work telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are high-lighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Af-rica in particular) was also found to be surprisingly high. This unex-pected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are present-ed. It is found that a country with a high penetration of broadband con-nectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
- Full Text:
Bridging the gap for Next Generation Services: Presence Services on Legacy Devices
- Moyo, Thamsanqa, Thinyane, Mamello, Wright, Madeleine, Irwin, Barry V W, Clayton, Peter G, Terzoli, Alfredo
- Authors: Moyo, Thamsanqa , Thinyane, Mamello , Wright, Madeleine , Irwin, Barry V W , Clayton, Peter G , Terzoli, Alfredo
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428177 , vital:72491 , https://d1wqtxts1xzle7.cloudfront.net/49665432/Paper_2063_20-_20Moyo-libre.pdf?1476717366=andresponse-content-disposi-tion=inline%3B+filename%3DBridging_the_gap_for_Next_Generation_Ser.pdfandEx-pires=1714737455andSignature=RRbr9pzIYSYX8v7FG6FzV4tu3dFXm9qmmqq5WirOhuYdt--mjOfcDHQNLPYZHCmtgYZWdVk6bVFxfGOVJxgXrvkTe2QN2AZV3XfFTZ3mi1s3A5gw2jIXOVHrYUnaf~POgdijdY85mqWhco3vL6Qk3sOZgYjIlTF5ZGAKg1S54W978Nom01cT2~oqRA0Et6mTNmydWfF5MhFxQIq~LNmYqEqmEESKkkWQFwg6xJJUu0uGffbaZXXBA6oDI2cpfkz1FleKyKaRDRJvdfnuTHPoJJ4TzfO6DDVCWKvJ45jaxIzaGmK-03Ai29I-DPyy-c557kZh~kF3rmDg3zrXVNaL8A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Next generation services are provided by applications that leverage packet-based domains. A challenge faced by such services is the support for multiple devices, including legacy devices. Our paper examines a strategy for the pro-vision of next generation services on legacy cellular network devices. We ad-vocate that the provision of next generation services via applications on the SIM card allows for the deployment of such services on legacy devices. We demonstrate this assertion through a proof of concept application, SIMPre, that resides on a SIM card. SIMPre implements a presence service by leveraging Java Card, the SIM Application Toolkit and the OMA IMPS standard. We show that it is possible to provide a next generation service on the SIM card such that it ubiquitously integrates with the functionality of a legacy device. We con-clude through this demonstration that the SIM card is a viable option for provid-ing backward compatibility to legacy devices in the implementation of next generation services.
- Full Text:
- Authors: Moyo, Thamsanqa , Thinyane, Mamello , Wright, Madeleine , Irwin, Barry V W , Clayton, Peter G , Terzoli, Alfredo
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428177 , vital:72491 , https://d1wqtxts1xzle7.cloudfront.net/49665432/Paper_2063_20-_20Moyo-libre.pdf?1476717366=andresponse-content-disposi-tion=inline%3B+filename%3DBridging_the_gap_for_Next_Generation_Ser.pdfandEx-pires=1714737455andSignature=RRbr9pzIYSYX8v7FG6FzV4tu3dFXm9qmmqq5WirOhuYdt--mjOfcDHQNLPYZHCmtgYZWdVk6bVFxfGOVJxgXrvkTe2QN2AZV3XfFTZ3mi1s3A5gw2jIXOVHrYUnaf~POgdijdY85mqWhco3vL6Qk3sOZgYjIlTF5ZGAKg1S54W978Nom01cT2~oqRA0Et6mTNmydWfF5MhFxQIq~LNmYqEqmEESKkkWQFwg6xJJUu0uGffbaZXXBA6oDI2cpfkz1FleKyKaRDRJvdfnuTHPoJJ4TzfO6DDVCWKvJ45jaxIzaGmK-03Ai29I-DPyy-c557kZh~kF3rmDg3zrXVNaL8A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Next generation services are provided by applications that leverage packet-based domains. A challenge faced by such services is the support for multiple devices, including legacy devices. Our paper examines a strategy for the pro-vision of next generation services on legacy cellular network devices. We ad-vocate that the provision of next generation services via applications on the SIM card allows for the deployment of such services on legacy devices. We demonstrate this assertion through a proof of concept application, SIMPre, that resides on a SIM card. SIMPre implements a presence service by leveraging Java Card, the SIM Application Toolkit and the OMA IMPS standard. We show that it is possible to provide a next generation service on the SIM card such that it ubiquitously integrates with the functionality of a legacy device. We con-clude through this demonstration that the SIM card is a viable option for provid-ing backward compatibility to legacy devices in the implementation of next generation services.
- Full Text:
Bridging the gap for Next Generation Services: Presence Services on Legacy Devices
- Moyo, Thamsanqa, Thinyane, Mamello, Wright, Madeleine, Irwin, Barry V W, Clayton, Peter G, Terzoli, Alfredo
- Authors: Moyo, Thamsanqa , Thinyane, Mamello , Wright, Madeleine , Irwin, Barry V W , Clayton, Peter G , Terzoli, Alfredo
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428176 , vital:72492 , https://d1wqtxts1xzle7.cloudfront.net/49665432/Paper_2063_20-_20Moyo-libre.pdf?1476717366=andresponse-content-disposi-tion=inline%3B+filename%3DBridging_the_gap_for_Next_Generation_Ser.pdfandEx-pires=1714737455andSignature=RRbr9pzIYSYX8v7FG6FzV4tu3dFXm9qmmqq5WirOhuYdt--mjOfcDHQNLPYZHCmtgYZWdVk6bVFxfGOVJxgXrvkTe2QN2AZV3XfFTZ3mi1s3A5gw2jIXOVHrYUnaf~POgdijdY85mqWhco3vL6Qk3sOZgYjIlTF5ZGAKg1S54W978Nom01cT2~oqRA0Et6mTNmydWfF5MhFxQIq~LNmYqEqmEESKkkWQFwg6xJJUu0uGffbaZXXBA6oDI2cpfkz1FleKyKaRDRJvdfnuTHPoJJ4TzfO6DDVCWKvJ45jaxIzaGmK-03Ai29I-DPyy-c557kZh~kF3rmDg3zrXVNaL8A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Next generation services are provided by applications that leverage packet-based domains. A challenge faced by such services is the support for multiple devices, including legacy devices. Our paper examines a strategy for the pro-vision of next generation services on legacy cellular network devices. We ad-vocate that the provision of next generation services via applications on the SIM card allows for the deployment of such services on legacy devices. We demonstrate this assertion through a proof of concept application, SIMPre, that resides on a SIM card. SIMPre implements a presence service by leveraging Java Card, the SIM Application Toolkit and the OMA IMPS standard. We show that it is possible to provide a next generation service on the SIM card such that it ubiquitously integrates with the functionality of a legacy device. We con-clude through this demonstration that the SIM card is a viable option for provid-ing backward compatibility to legacy devices in the implementation of next generation services.
- Full Text:
- Authors: Moyo, Thamsanqa , Thinyane, Mamello , Wright, Madeleine , Irwin, Barry V W , Clayton, Peter G , Terzoli, Alfredo
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428176 , vital:72492 , https://d1wqtxts1xzle7.cloudfront.net/49665432/Paper_2063_20-_20Moyo-libre.pdf?1476717366=andresponse-content-disposi-tion=inline%3B+filename%3DBridging_the_gap_for_Next_Generation_Ser.pdfandEx-pires=1714737455andSignature=RRbr9pzIYSYX8v7FG6FzV4tu3dFXm9qmmqq5WirOhuYdt--mjOfcDHQNLPYZHCmtgYZWdVk6bVFxfGOVJxgXrvkTe2QN2AZV3XfFTZ3mi1s3A5gw2jIXOVHrYUnaf~POgdijdY85mqWhco3vL6Qk3sOZgYjIlTF5ZGAKg1S54W978Nom01cT2~oqRA0Et6mTNmydWfF5MhFxQIq~LNmYqEqmEESKkkWQFwg6xJJUu0uGffbaZXXBA6oDI2cpfkz1FleKyKaRDRJvdfnuTHPoJJ4TzfO6DDVCWKvJ45jaxIzaGmK-03Ai29I-DPyy-c557kZh~kF3rmDg3zrXVNaL8A__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Next generation services are provided by applications that leverage packet-based domains. A challenge faced by such services is the support for multiple devices, including legacy devices. Our paper examines a strategy for the pro-vision of next generation services on legacy cellular network devices. We ad-vocate that the provision of next generation services via applications on the SIM card allows for the deployment of such services on legacy devices. We demonstrate this assertion through a proof of concept application, SIMPre, that resides on a SIM card. SIMPre implements a presence service by leveraging Java Card, the SIM Application Toolkit and the OMA IMPS standard. We show that it is possible to provide a next generation service on the SIM card such that it ubiquitously integrates with the functionality of a legacy device. We con-clude through this demonstration that the SIM card is a viable option for provid-ing backward compatibility to legacy devices in the implementation of next generation services.
- Full Text:
Evaluating compression as an enabler for centralised monitoring in a Next Generation Network
- Otten, Fred, Irwin, Barry V W, Slay, Hannah
- Authors: Otten, Fred , Irwin, Barry V W , Slay, Hannah
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428226 , vital:72495 , https://citeseerx.ist.psu.edu/document?repid=rep1andtype=pdfanddoi=f9ed69db7da44c168082934cd4ea5a413b2bf7f5
- Description: With the emergence of Next Generation Networks and a large number of next generation services, the volume and diversity of information is on the rise. These networks are often large, distributed and consist of het-erogeneous devices. In order to provide effective centralised monitoring and control we need to be able to assemble the relevant data at a cen-tral point. This becomes difficult because of the large quantity of data. We also would like to achieve this using the least amount of bandwidth, and minimise the latency. This paper investigates using compression to enable centralised monitoring and control. It presents the results of ex-periments showing that compression is an effective method of data re-duction, resulting in up to 93.3 percent reduction in bandwidth usage for point-to-point transmission. This paper also describes an architecture that incorporates compression and provides centralised monitoring and control.
- Full Text:
- Authors: Otten, Fred , Irwin, Barry V W , Slay, Hannah
- Date: 2007
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428226 , vital:72495 , https://citeseerx.ist.psu.edu/document?repid=rep1andtype=pdfanddoi=f9ed69db7da44c168082934cd4ea5a413b2bf7f5
- Description: With the emergence of Next Generation Networks and a large number of next generation services, the volume and diversity of information is on the rise. These networks are often large, distributed and consist of het-erogeneous devices. In order to provide effective centralised monitoring and control we need to be able to assemble the relevant data at a cen-tral point. This becomes difficult because of the large quantity of data. We also would like to achieve this using the least amount of bandwidth, and minimise the latency. This paper investigates using compression to enable centralised monitoring and control. It presents the results of ex-periments showing that compression is an effective method of data re-duction, resulting in up to 93.3 percent reduction in bandwidth usage for point-to-point transmission. This paper also describes an architecture that incorporates compression and provides centralised monitoring and control.
- Full Text:
Inetvis: a graphical aid for the detection and visualisation of network scans
- Irwin, Barry V W, van Riel, Jean-Pierre
- Authors: Irwin, Barry V W , van Riel, Jean-Pierre
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430381 , vital:72687 , https://www.cs.ru.ac.za/research/g02V2468/publications/Irwin-VizSEC2007_draft.pdf
- Description: This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. The scan detection algorithms of Snort and Bro are critiqued by comparing the visualised scans with alert output. Where human assessment disa-grees with the alert output, explanations are sought after by analysing the detection algorithms. The algorithms of the Snort and Bro intrusion detection systems are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.
- Full Text:
- Authors: Irwin, Barry V W , van Riel, Jean-Pierre
- Date: 2007
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430381 , vital:72687 , https://www.cs.ru.ac.za/research/g02V2468/publications/Irwin-VizSEC2007_draft.pdf
- Description: This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. The scan detection algorithms of Snort and Bro are critiqued by comparing the visualised scans with alert output. Where human assessment disa-grees with the alert output, explanations are sought after by analysing the detection algorithms. The algorithms of the Snort and Bro intrusion detection systems are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.
- Full Text:
A Discussion Of Wireless Security Technologies
- Janse van Rensburg, Johanna, Irwin, Barry V W
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W
- Date: 2006
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429852 , vital:72645 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228864029_A_DISCUSSION_OF_WIRELESS_SECURITY_TECHNOLOGIES/links/53e9c5190cf28f342f41492b/A-DISCUSSION-OF-WIRELESS-SECURITY-TECHNOLOGIES.pdf
- Description: The 802.11 standard contains a number of problems, ranging from in-terference, co-existence issues, exposed terminal problems and regula-tions to security. Despite all of these it has become a widely deployed technology as an extension of companies’ networks to provide mobility. In this paper the focus will be on the security issues of 802.11. Several solutions for the deployment of 802.11 security exists today, ranging from WEP, WPA, VPN and 802.11 i, each providing a different level of security. These technologies contain pros and cons which need to be understood in order to implement an appropriate solution suited to a specific scenario.
- Full Text:
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W
- Date: 2006
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429852 , vital:72645 , https://www.researchgate.net/profile/Barry-Ir-win/publication/228864029_A_DISCUSSION_OF_WIRELESS_SECURITY_TECHNOLOGIES/links/53e9c5190cf28f342f41492b/A-DISCUSSION-OF-WIRELESS-SECURITY-TECHNOLOGIES.pdf
- Description: The 802.11 standard contains a number of problems, ranging from in-terference, co-existence issues, exposed terminal problems and regula-tions to security. Despite all of these it has become a widely deployed technology as an extension of companies’ networks to provide mobility. In this paper the focus will be on the security issues of 802.11. Several solutions for the deployment of 802.11 security exists today, ranging from WEP, WPA, VPN and 802.11 i, each providing a different level of security. These technologies contain pros and cons which need to be understood in order to implement an appropriate solution suited to a specific scenario.
- Full Text:
Design considerations for a reliable and secure wireless network
- Janse van Rensburg, Johanna, Irwin, Barry V W, Zhao, X G
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W , Zhao, X G
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428199 , vital:72493 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622818_Design_considerations_for_a_reliable_and_secure_wireless_network/links/5b9a114792851c4ba81819fe/Design-considerations-for-a-reliable-and-secure-wireless-network.pdf
- Description: Wireless Networks have become widely accepted in enterprise net-works and can no longer be considered an experimental technology. However users often experience performance problems due to poor designs. These problems can be attributed to the physical nature of wireless networks, the electromagnetic wave. As a wave propagates through the air it is susceptible to interference, reflection or refraction, to name a few, that changes the wave and ultimately the received signal. However the effect of these can be mitigated with the proper design of a wireless network. In this paper these design consideration will be in-troduced through discussion of visualization packages that aid in the design process. Furthermore we will take a look at the security consid-erations of wireless networks; as, surprisingly even with the ratification of 802.11 i for almost two years now; security is still considered one of the biggest challenges against implementing a wireless local area net-work.
- Full Text:
- Authors: Janse van Rensburg, Johanna , Irwin, Barry V W , Zhao, X G
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428199 , vital:72493 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622818_Design_considerations_for_a_reliable_and_secure_wireless_network/links/5b9a114792851c4ba81819fe/Design-considerations-for-a-reliable-and-secure-wireless-network.pdf
- Description: Wireless Networks have become widely accepted in enterprise net-works and can no longer be considered an experimental technology. However users often experience performance problems due to poor designs. These problems can be attributed to the physical nature of wireless networks, the electromagnetic wave. As a wave propagates through the air it is susceptible to interference, reflection or refraction, to name a few, that changes the wave and ultimately the received signal. However the effect of these can be mitigated with the proper design of a wireless network. In this paper these design consideration will be in-troduced through discussion of visualization packages that aid in the design process. Furthermore we will take a look at the security consid-erations of wireless networks; as, surprisingly even with the ratification of 802.11 i for almost two years now; security is still considered one of the biggest challenges against implementing a wireless local area net-work.
- Full Text:
DRAPA-a flexible framework for evaluating the quality of VoIP components
- Clayton, Bradley, Terzoli, Alfredo, Irwin, Barry V W
- Authors: Clayton, Bradley , Terzoli, Alfredo , Irwin, Barry V W
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428213 , vital:72494 , https://d1wqtxts1xzle7.cloudfront.net/3456214/No_268_-_Clayton-libre.pdf?1390832682=andresponse-content-disposi-tion=inline%3B+filename%3DDRAPA_a_flexible_framework_for_evaluatin.pdfandExpires=1714742712andSignature=FTQ3UMH7w9KMXeuld-NbnboBP9kqza7jDnVI2AJMFrhV6fkW56bPgPZKVAY-bKJFqJP-jq4h4JwRhWVuCA-oIIA4ckbhKHA4OoL4X5DYtlujkhkombcp-B5fVR02AioXBazDtfnTGvZLE21wluH0BnkBL9OAQSen7YJDzDsYtNH2pFIn06Nmg9-kDaJoRmW9KWlQs8BwyaXml4-pG~FrpiGCRclANXBSpmsxYSdJyZAnHq2ZZNqx9pEHigaYHUUgllDq64dp8C8R84xAbbbRcvt-XNhuQ~fU2AkJILms4FUkJSjGI0E-TOKhh7vQiVIh5KzZX8MOiS~rEuBH6ekx8g__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: When adding to or altering a VoIP system, the overall performance and quality of the system is at risk. For example, adding confidentiality, in-tegrity and authentication (CIA) would incur an overhead for each addi-tional security method. A method of measuring the performance of a VoIP system after a change or addition is needed. This paper describes a framework and testbed (DRAPA) which provides a flexible base from which VoIP performance analysis systems can be built. DRAPA gener-ates and collects data from any part of a VoIP system within a real do-main. This paper also discusses the flexibility of DRAPA. While security is our primary focus, DRAPA allows the user to configure the testbed and change the type and nature of data to be collected.
- Full Text:
- Authors: Clayton, Bradley , Terzoli, Alfredo , Irwin, Barry V W
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428213 , vital:72494 , https://d1wqtxts1xzle7.cloudfront.net/3456214/No_268_-_Clayton-libre.pdf?1390832682=andresponse-content-disposi-tion=inline%3B+filename%3DDRAPA_a_flexible_framework_for_evaluatin.pdfandExpires=1714742712andSignature=FTQ3UMH7w9KMXeuld-NbnboBP9kqza7jDnVI2AJMFrhV6fkW56bPgPZKVAY-bKJFqJP-jq4h4JwRhWVuCA-oIIA4ckbhKHA4OoL4X5DYtlujkhkombcp-B5fVR02AioXBazDtfnTGvZLE21wluH0BnkBL9OAQSen7YJDzDsYtNH2pFIn06Nmg9-kDaJoRmW9KWlQs8BwyaXml4-pG~FrpiGCRclANXBSpmsxYSdJyZAnHq2ZZNqx9pEHigaYHUUgllDq64dp8C8R84xAbbbRcvt-XNhuQ~fU2AkJILms4FUkJSjGI0E-TOKhh7vQiVIh5KzZX8MOiS~rEuBH6ekx8g__andKey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: When adding to or altering a VoIP system, the overall performance and quality of the system is at risk. For example, adding confidentiality, in-tegrity and authentication (CIA) would incur an overhead for each addi-tional security method. A method of measuring the performance of a VoIP system after a change or addition is needed. This paper describes a framework and testbed (DRAPA) which provides a flexible base from which VoIP performance analysis systems can be built. DRAPA gener-ates and collects data from any part of a VoIP system within a real do-main. This paper also discusses the flexibility of DRAPA. While security is our primary focus, DRAPA allows the user to configure the testbed and change the type and nature of data to be collected.
- Full Text:
Identifying and Investigating Intrusive Scanning Patterns by Visualizing Network Telescope Traffic in a 3-D Scatter-plot
- van Riel, Jean-Pierre, Irwin, Barry V W
- Authors: van Riel, Jean-Pierre , Irwin, Barry V W
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428719 , vital:72531 , https://citeseerx.ist.psu.edu/document?repid=rep1type=pdfanddoi=aeb0738f0e53a8c9f407fee7e55c852643f2644c
- Description: Detecting and investigating intrusive Internet activity is an ever-present challenge for network administrators and security researchers. Network monitoring can generate large, unmanageable amounts of log data, which further complicates distinguishing between illegitimate and legiti-mate traffic. Considering the above issue, this article has two aims. First, it describes an investigative methodology for network monitoring and traffic review; and second, it discusses results from applying this meth-od. The method entails a combination of network telescope traffic cap-ture and visualisation. Observing traffic from the perspective of a dedi-cated sensor network reduces the volume of data and alleviates the concern of confusing malicious traffic with legitimate traffic. Compliment-ing this, visual analysis facilitates the rapid review and correlation of events, thereby utilizing human intelligence in the identification of scan-ning patterns. To demonstrate the proposed method, several months of network telescope traffic is captured and analysed with a tailor made 3D scatter-plot visualisation. As the results show, the visualisation saliently conveys anomalous patterns, and further analysis reveals that these patterns are indicative of covert network probing activity. By incorporat-ing visual analysis with traditional approaches, such as textual log re-view and the use of an intrusion detection system, this research contrib-utes improved insight into network scanning incidents.
- Full Text:
- Authors: van Riel, Jean-Pierre , Irwin, Barry V W
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428719 , vital:72531 , https://citeseerx.ist.psu.edu/document?repid=rep1type=pdfanddoi=aeb0738f0e53a8c9f407fee7e55c852643f2644c
- Description: Detecting and investigating intrusive Internet activity is an ever-present challenge for network administrators and security researchers. Network monitoring can generate large, unmanageable amounts of log data, which further complicates distinguishing between illegitimate and legiti-mate traffic. Considering the above issue, this article has two aims. First, it describes an investigative methodology for network monitoring and traffic review; and second, it discusses results from applying this meth-od. The method entails a combination of network telescope traffic cap-ture and visualisation. Observing traffic from the perspective of a dedi-cated sensor network reduces the volume of data and alleviates the concern of confusing malicious traffic with legitimate traffic. Compliment-ing this, visual analysis facilitates the rapid review and correlation of events, thereby utilizing human intelligence in the identification of scan-ning patterns. To demonstrate the proposed method, several months of network telescope traffic is captured and analysed with a tailor made 3D scatter-plot visualisation. As the results show, the visualisation saliently conveys anomalous patterns, and further analysis reveals that these patterns are indicative of covert network probing activity. By incorporat-ing visual analysis with traditional approaches, such as textual log re-view and the use of an intrusion detection system, this research contrib-utes improved insight into network scanning incidents.
- Full Text: