Adaptable exploit detection through scalable netflow analysis
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
Improving Fidelity in Internet Simulation through Packet Injection
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
Towards malicious network activity mitigation through subnet reputation analysis
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427799 , vital:72463 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622788_Towards_Malicious_Network_Activity_Mitigation_through_Subnet_Reputation_Analysis/links/5b9a1a88458515310583fda6/Towards-Malicious-Network-Activity-Mitigation-through-Subnet-Reputation-Analysis.pdf
- Description: Analysis technologies that focus on partial packet rather than full packet analysis have shown promise in detection of malicious activity on net-works. NetFlow is one such emergent protocol that is used to log net-work flows through summarizing key features of them. These logs can then be exported to external NetFlow sinks and proper configuration can see effective bandwidth bottleneck mitigation occurring on net-works. Furthermore, each NetFlow source node is configurable with its own unique ID number. This feature enables a system that knows where a NetFlow source node ID number resides physically to say which network flows are occurring from which physical locations irre-spective of the IP addresses involved in these network flows.
- Full Text:
- Date Issued: 2016