An Evaluation of Text Mining Techniques in Sampling of Network Ports from IBR Traffic
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
A netFlow scoring framework for incident detection
- Sweeney, Michael, Irwin, Barry V W
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
An analysis on the re-emergence of SQL Slammer worm using network telescope data
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
JSON schema for attribute-based access control for network resource security
- Linklater, Gregory, Smith, Christian, Connan, James, Herbert, Alan, Irwin, Barry V W
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
Recovering AES-128 encryption keys from a Raspberry Pi
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427740 , vital:72459 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full encryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427740 , vital:72459 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full encryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
Recovering AES-128 encryption keys from a Raspberry Pi
- Frieslaar, Ibrahim, Irwin, Barry V W
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428383 , vital:72507 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full en-cryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428383 , vital:72507 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full en-cryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
SHA-1, SAT-solving, and CNF
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428408 , vital:72509 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9692/Motara_19661_2017.pdf?sequence=1andisAllowed=y
- Description: Finding a preimage for a SHA-1 hash is, at present, a computationally intractable problem. SAT-solvers have been useful tools for handling such problems and can often, through heuristics, generate acceptable solutions. This research examines the intersection between the SHA-1 preimage problem, the encoding of that problem for SAT-solving, and SAT-solving. The results demonstrate that SAT-solving is not yet a viable approach to take to solve the preimage problem, and also indicate that some of the intuitions about “good” problem encodings in the literature are likely to be incorrect.
- Full Text:
- Date Issued: 2017
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428408 , vital:72509 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9692/Motara_19661_2017.pdf?sequence=1andisAllowed=y
- Description: Finding a preimage for a SHA-1 hash is, at present, a computationally intractable problem. SAT-solvers have been useful tools for handling such problems and can often, through heuristics, generate acceptable solutions. This research examines the intersection between the SHA-1 preimage problem, the encoding of that problem for SAT-solving, and SAT-solving. The results demonstrate that SAT-solving is not yet a viable approach to take to solve the preimage problem, and also indicate that some of the intuitions about “good” problem encodings in the literature are likely to be incorrect.
- Full Text:
- Date Issued: 2017
Weems: An extensible HTTP honeypot
- Pearson, Deon, Irwin, Barry V W, Herbert, Alan
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
A sharing platform for Indicators of Compromise
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
Design of a Configurable Embedded Network Tap Flow Generation using NetFlow v9 and IPFIX Formats
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
Sha-1 and the strict avalanche criterion
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429010 , vital:72553 , https://ieeexplore.ieee.org/abstract/document/7802926
- Description: The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
- Full Text:
- Date Issued: 2016
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429010 , vital:72553 , https://ieeexplore.ieee.org/abstract/document/7802926
- Description: The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
- Full Text:
- Date Issued: 2016
A review of current DNS TTL practices
- Van Zyl, Ignus, Rudman, Lauren, Irwin, Barry V W
- Authors: Van Zyl, Ignus , Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427813 , vital:72464 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622760_A_review_of_current_DNS_TTL_practices/links/5b9a16e292851c4ba8181b7f/A-review-of-current-DNS-TTL-practices.pdf
- Description: This paper provides insight into legitimate DNS domain Time to Live (TTL) activity captured over two live caching servers from the period January to June 2014. DNS TTL practices are identified and compared between frequently queried domains, with respect to the caching servers. A breakdown of TTL practices by Resource Record type is also given, as well as an analysis on the TTL choices of the most frequent Top Level Domains. An analysis of anomalous TTL values with respect to the gathered data is also presented.
- Full Text:
- Date Issued: 2015
- Authors: Van Zyl, Ignus , Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427813 , vital:72464 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622760_A_review_of_current_DNS_TTL_practices/links/5b9a16e292851c4ba8181b7f/A-review-of-current-DNS-TTL-practices.pdf
- Description: This paper provides insight into legitimate DNS domain Time to Live (TTL) activity captured over two live caching servers from the period January to June 2014. DNS TTL practices are identified and compared between frequently queried domains, with respect to the caching servers. A breakdown of TTL practices by Resource Record type is also given, as well as an analysis on the TTL choices of the most frequent Top Level Domains. An analysis of anomalous TTL values with respect to the gathered data is also presented.
- Full Text:
- Date Issued: 2015
An investigation into the signals leakage from a smartcard based on different runtime code
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427845 , vital:72466 , https://www.researchgate.net/profile/Ibraheem-Fries-laar/publication/307918229_An_investigation_into_the_signals_leakage_from_a_smartcard_based_on_different_runtime_code/links/57d1996008ae0c0081e04fd5/An-investigation-into-the-signals-leakage-from-a-smartcard-based-on-different-runtime-code.pdf
- Description: This paper investigates the power leakage of a smartcard. It is intended to answer two vital questions: what information is leaked out when different characters are used as output; and does the length of the output affect the amount of the information leaked. The investigation determines that as the length of the output is increased more bus lines are switched from a precharge state to a high state. This is related to the output array in the code increasing its length. Furthermore, this work shows that the output for different characters generates a different pattern. This is due to the fact that various characters needs different amount of bytes to be executed since they have different binary value. Additionally, the information leaked out can be directly linked to the smartcard’s interpreter.
- Full Text:
- Date Issued: 2015
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427845 , vital:72466 , https://www.researchgate.net/profile/Ibraheem-Fries-laar/publication/307918229_An_investigation_into_the_signals_leakage_from_a_smartcard_based_on_different_runtime_code/links/57d1996008ae0c0081e04fd5/An-investigation-into-the-signals-leakage-from-a-smartcard-based-on-different-runtime-code.pdf
- Description: This paper investigates the power leakage of a smartcard. It is intended to answer two vital questions: what information is leaked out when different characters are used as output; and does the length of the output affect the amount of the information leaked. The investigation determines that as the length of the output is increased more bus lines are switched from a precharge state to a high state. This is related to the output array in the code increasing its length. Furthermore, this work shows that the output for different characters generates a different pattern. This is due to the fact that various characters needs different amount of bytes to be executed since they have different binary value. Additionally, the information leaked out can be directly linked to the smartcard’s interpreter.
- Full Text:
- Date Issued: 2015
Characterization and analysis of NTP amplification based DDoS attacks
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429285 , vital:72573 , 10.1109/ISSA.2015.7335069
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values, as a whole, are then analysed to find the total number used throughout each attack. The most frequent TTL values are then found and show that the migratory of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting.
- Full Text:
- Date Issued: 2015
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429285 , vital:72573 , 10.1109/ISSA.2015.7335069
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values, as a whole, are then analysed to find the total number used throughout each attack. The most frequent TTL values are then found and show that the migratory of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting.
- Full Text:
- Date Issued: 2015
Data Centre vulnerabilities physical, logical and trusted entity security
- Swart, Ignus, Grobler, Marthie, Irwin, Barry V W
- Authors: Swart, Ignus , Grobler, Marthie , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427859 , vital:72467 , https://www.researchgate.net/profile/Ignus-Swart/publication/305442546_Data_Centre_vulnerabilities_physical_logical_trusted_entity_security/links/578f38c108aecbca4cada6bf/Data-Centre-vulnerabilities-physical-logical-trusted-entity-security.pdf
- Description: Data centres are often the hub for a significant number of disparate interconnecting systems. With rapid advances in virtualization, the use of data centres have increased significantly and are set to continue growing. Systems hosted typically serve the data needs for a growing number of organizations ranging from private individuals to mammoth governmental departments. Due to this centralized method of operation, data centres have become a prime target for attackers. These attackers are not only after the data contained in the data centre but often the physical infrastructure the systems run on is the target of attack. Down time resulting from such an attack can affect a wide range of entities and can have severe financial implications for the owners of the data centre. To limit liability strict adherence to standards are prescribed. Technology however develops at a far faster pace than standards and our ability to accurately measure information security has significant hidden caveats. This allows for a situation where the defenders dilemma is exacerbated by information overload, a significant increase in attack surface and reporting tools that show only limited views. This paper investigates the logical and physical security components of a data centre and introduces the notion of third party involvement as an increase in attack surface due to the manner in which data centres typically operate.
- Full Text:
- Date Issued: 2015
- Authors: Swart, Ignus , Grobler, Marthie , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427859 , vital:72467 , https://www.researchgate.net/profile/Ignus-Swart/publication/305442546_Data_Centre_vulnerabilities_physical_logical_trusted_entity_security/links/578f38c108aecbca4cada6bf/Data-Centre-vulnerabilities-physical-logical-trusted-entity-security.pdf
- Description: Data centres are often the hub for a significant number of disparate interconnecting systems. With rapid advances in virtualization, the use of data centres have increased significantly and are set to continue growing. Systems hosted typically serve the data needs for a growing number of organizations ranging from private individuals to mammoth governmental departments. Due to this centralized method of operation, data centres have become a prime target for attackers. These attackers are not only after the data contained in the data centre but often the physical infrastructure the systems run on is the target of attack. Down time resulting from such an attack can affect a wide range of entities and can have severe financial implications for the owners of the data centre. To limit liability strict adherence to standards are prescribed. Technology however develops at a far faster pace than standards and our ability to accurately measure information security has significant hidden caveats. This allows for a situation where the defenders dilemma is exacerbated by information overload, a significant increase in attack surface and reporting tools that show only limited views. This paper investigates the logical and physical security components of a data centre and introduces the notion of third party involvement as an increase in attack surface due to the manner in which data centres typically operate.
- Full Text:
- Date Issued: 2015
Design and Fabrication of a Low Cost Traffic Manipulation Hardware Platform
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427873 , vital:72468 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622941_Design_and_Fabrication_of_a_Low_Cost_Traffic_Manipulation_Hardware/links/5b9a1625458515310583fc8c/Design-and-Fabrication-of-a-Low-Cost-Traffic-Manipulation-Hardware.pdf
- Description: This paper describes the design and fabrication of a dedicated hardware platform for network traffic logging and modification at a production cost of under $300. The context of the device is briefly discussed before characteristics relating to hardware development are explored. The paper concludes with three application examples to show some to the potential functionality of the platform. Testing of the device shows an average TCP throughput of 84.44 MiB/s when using the designed Ethernet modules.
- Full Text:
- Date Issued: 2015
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427873 , vital:72468 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622941_Design_and_Fabrication_of_a_Low_Cost_Traffic_Manipulation_Hardware/links/5b9a1625458515310583fc8c/Design-and-Fabrication-of-a-Low-Cost-Traffic-Manipulation-Hardware.pdf
- Description: This paper describes the design and fabrication of a dedicated hardware platform for network traffic logging and modification at a production cost of under $300. The context of the device is briefly discussed before characteristics relating to hardware development are explored. The paper concludes with three application examples to show some to the potential functionality of the platform. Testing of the device shows an average TCP throughput of 84.44 MiB/s when using the designed Ethernet modules.
- Full Text:
- Date Issued: 2015
FPGA Based Implementation of a High Performance Scalable NetFlow Filter
- Herbert, Alan, Irwin, Barry V W, Otten, D F, Balmahoon, M R
- Authors: Herbert, Alan , Irwin, Barry V W , Otten, D F , Balmahoon, M R
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427887 , vital:72470 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622948_FPGA_Based_Implementation_of_a_High_Perfor-mance_Scalable_NetFlow_Filter/links/5b9a17a192851c4ba8181ba5/FPGA-Based-Implementation-of-a-High-Performance-Scalable-NetFlow-Filter.pdf
- Description: Full packet analysis on firewalls and intrusion detection, although effec-tive, has been found in recent times to be detrimental to the overall per-formance of networks that receive large volumes of throughput. For this reason partial packet analysis algorithms such as the NetFlow protocol have emerged to better mitigate these bottlenecks. This research delves into implementing a hardware accelerated, scalable, high per-formance system for NetFlow analysis and attack mitigation. Further-more, this implementation takes on attack mitigation through collection and processing of network flows produced at the source, rather than at the site of incident. This research platform manages to scale out its back-end through dis-tributed analysis over multiple hosts using the ZeroMQ toolset. Fur-thermore, ZeroMQ allows for multiple NetFlow data publishers, so that plug-ins can subscribe to the publishers that contain the relevant data to further increase the overall performance of the system. The dedicat-ed custom hardware optimizes the received network flows through cleaning, summarization and re-ordering into an easy to pass form when given to the sequential component of the system; this being the back-end.
- Full Text:
- Date Issued: 2015
- Authors: Herbert, Alan , Irwin, Barry V W , Otten, D F , Balmahoon, M R
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427887 , vital:72470 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622948_FPGA_Based_Implementation_of_a_High_Perfor-mance_Scalable_NetFlow_Filter/links/5b9a17a192851c4ba8181ba5/FPGA-Based-Implementation-of-a-High-Performance-Scalable-NetFlow-Filter.pdf
- Description: Full packet analysis on firewalls and intrusion detection, although effec-tive, has been found in recent times to be detrimental to the overall per-formance of networks that receive large volumes of throughput. For this reason partial packet analysis algorithms such as the NetFlow protocol have emerged to better mitigate these bottlenecks. This research delves into implementing a hardware accelerated, scalable, high per-formance system for NetFlow analysis and attack mitigation. Further-more, this implementation takes on attack mitigation through collection and processing of network flows produced at the source, rather than at the site of incident. This research platform manages to scale out its back-end through dis-tributed analysis over multiple hosts using the ZeroMQ toolset. Fur-thermore, ZeroMQ allows for multiple NetFlow data publishers, so that plug-ins can subscribe to the publishers that contain the relevant data to further increase the overall performance of the system. The dedicat-ed custom hardware optimizes the received network flows through cleaning, summarization and re-ordering into an easy to pass form when given to the sequential component of the system; this being the back-end.
- Full Text:
- Date Issued: 2015
An exploration of geolocation and traffic visualisation using network flows
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429597 , vital:72625 , 10.1109/ISSA.2014.6950
- Description: A network flow is a data record that represents characteristics associated with a unidirectional stream of packets transmitted between two hosts using an IP layer protocol. As a network flow only represents statistics relating to the data transferred in the stream, the effectiveness of utilizing network flows for traffic visualization to aid in cyber defense is not immediately apparent and needs further exploration. The goal of this research is to explore the use of network flows for data visualization and geolocation.
- Full Text:
- Date Issued: 2014
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429597 , vital:72625 , 10.1109/ISSA.2014.6950
- Description: A network flow is a data record that represents characteristics associated with a unidirectional stream of packets transmitted between two hosts using an IP layer protocol. As a network flow only represents statistics relating to the data transferred in the stream, the effectiveness of utilizing network flows for traffic visualization to aid in cyber defense is not immediately apparent and needs further exploration. The goal of this research is to explore the use of network flows for data visualization and geolocation.
- Full Text:
- Date Issued: 2014
Design of a Network Packet Processing platform
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2014
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427901 , vital:72472 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622772_Design_of_a_Network_Packet_Processing_platform/links/5b9a187f92851c4ba8181bd6/Design-of-a-Network-Packet-Processing-platform.pdf
- Description: This paper describes the design considerations investigated in the implementation of a prototype embedded network packet processing platform. The purpose of this system is to provide a means for researchers to process, and manipulate network traffic using an embedded standalone hardware platform, with the provision this be soft-configurable and flexible in its functionality. The performance of the Ethernet layer subsystem implemented using XMOS MCU’s is investigated. Future applications of this prototype are discussed.
- Full Text:
- Date Issued: 2014
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2014
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427901 , vital:72472 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622772_Design_of_a_Network_Packet_Processing_platform/links/5b9a187f92851c4ba8181bd6/Design-of-a-Network-Packet-Processing-platform.pdf
- Description: This paper describes the design considerations investigated in the implementation of a prototype embedded network packet processing platform. The purpose of this system is to provide a means for researchers to process, and manipulate network traffic using an embedded standalone hardware platform, with the provision this be soft-configurable and flexible in its functionality. The performance of the Ethernet layer subsystem implemented using XMOS MCU’s is investigated. Future applications of this prototype are discussed.
- Full Text:
- Date Issued: 2014
An Exploratory Framework for Extrusion Detection
- Stalmans, Etienne, Irwin, Barry V W
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2012
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428027 , vital:72481 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622736_An_Exploratory_Framework_for_Extrusion_Detection/links/5b9a12ba299bf14ad4d6a3d7/An-Exploratory-Framework-for-Extrusion-Detection.pdf
- Description: Modern network architecture allows multiple connectivity options, increasing the number of possible attack vectors. With the number of internet enabled devices constantly increasing, along with employees using these devices to access internal corporate networks, the attack surface has become too large to monitor from a single end-point. Traditional security measures have focused on securing a small number of network endpoints, by monitoring inbound con-nections and are thus blind to attack vectors such as mobile internet connections and remova-ble devices. Once an attacker has gained access to a network they are able to operate unde-tected on the internal network and exfiltrate data without hindrance. This paper proposes a framework for extrusion detection, where internal network traffic and outbound connections are monitored to detect malicious activity. The proposed framework has a tiered architecture con-sisting of prevention, detection, reaction and reporting. Each tier of the framework feeds into the subsequent tier with reporting providing a feedback mechanism to improve each tier based on the outcome of previous incidents.
- Full Text:
- Date Issued: 2012
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2012
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428027 , vital:72481 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622736_An_Exploratory_Framework_for_Extrusion_Detection/links/5b9a12ba299bf14ad4d6a3d7/An-Exploratory-Framework-for-Extrusion-Detection.pdf
- Description: Modern network architecture allows multiple connectivity options, increasing the number of possible attack vectors. With the number of internet enabled devices constantly increasing, along with employees using these devices to access internal corporate networks, the attack surface has become too large to monitor from a single end-point. Traditional security measures have focused on securing a small number of network endpoints, by monitoring inbound con-nections and are thus blind to attack vectors such as mobile internet connections and remova-ble devices. Once an attacker has gained access to a network they are able to operate unde-tected on the internal network and exfiltrate data without hindrance. This paper proposes a framework for extrusion detection, where internal network traffic and outbound connections are monitored to detect malicious activity. The proposed framework has a tiered architecture con-sisting of prevention, detection, reaction and reporting. Each tier of the framework feeds into the subsequent tier with reporting providing a feedback mechanism to improve each tier based on the outcome of previous incidents.
- Full Text:
- Date Issued: 2012