A multi-threading approach to secure VERIFYPIN
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
A sharing platform for Indicators of Compromise
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
Adaptable exploit detection through scalable netflow analysis
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
An overview of linux container based network emulation
- Peach, Schalk, Irwin, Barry V W, van Heerden, Renier
- Authors: Peach, Schalk , Irwin, Barry V W , van Heerden, Renier
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430095 , vital:72665 , https://www.proceedings.com/30838.html
- Description: The objective of this paper is to assess the current state of Container-Based Emulator implementations on the Linux platform. Through a nar-rative overview, a selection of open source Container-Based emulators are analysed to collect information regarding the technologies used to construct them to assess the current state of this emerging technology. Container-Based Emulators allows the creation of small emulated net-works on commodity hardware through the use of kernel level virtualiza-tion techniques, also referred to as containerisation. Container-Based Emulators act as a management tool to control containers and the ap-plications that execute within them. The ability of Container Based Emu-lators to create repeatable and controllable test networks makes it ideal for use as training and experimentation tools in the information security and network management fields. Due to the ease of use and low hard-ware requirements, the tools present a low cost alternative to other forms of network experimentation platforms. Through a review of cur-rent literature and source code, the current state of Container-Based Emulators is assessed.
- Full Text:
- Date Issued: 2016
- Authors: Peach, Schalk , Irwin, Barry V W , van Heerden, Renier
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430095 , vital:72665 , https://www.proceedings.com/30838.html
- Description: The objective of this paper is to assess the current state of Container-Based Emulator implementations on the Linux platform. Through a nar-rative overview, a selection of open source Container-Based emulators are analysed to collect information regarding the technologies used to construct them to assess the current state of this emerging technology. Container-Based Emulators allows the creation of small emulated net-works on commodity hardware through the use of kernel level virtualiza-tion techniques, also referred to as containerisation. Container-Based Emulators act as a management tool to control containers and the ap-plications that execute within them. The ability of Container Based Emu-lators to create repeatable and controllable test networks makes it ideal for use as training and experimentation tools in the information security and network management fields. Due to the ease of use and low hard-ware requirements, the tools present a low cost alternative to other forms of network experimentation platforms. Through a review of cur-rent literature and source code, the current state of Container-Based Emulators is assessed.
- Full Text:
- Date Issued: 2016
Characterization and Analysis of NTP Amplifier Traffic
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429482 , vital:72616 , 10.23919/SAIEE.2016.8531542
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to find the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429482 , vital:72616 , 10.23919/SAIEE.2016.8531542
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to find the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.
- Full Text:
- Date Issued: 2016
Design of a Configurable Embedded Network Tap Flow Generation using NetFlow v9 and IPFIX Formats
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
Detecting derivative malware samples using deobfuscation-assisted similarity analysis
- Wrench, Peter, Irwin, Barry V W
- Authors: Wrench, Peter , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429494 , vital:72617 , 10.23919/SAIEE.2016.8531543
- Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
- Full Text:
- Date Issued: 2016
- Authors: Wrench, Peter , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429494 , vital:72617 , 10.23919/SAIEE.2016.8531543
- Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
- Full Text:
- Date Issued: 2016
Developing a Multi Platform Countermeasure to Ensure a Secure Home
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427772 , vital:72461 , https://www.researchgate.net/profile/Ibraheem-Fries-laar/publication/312219190_Developing_a_Multi_Platform_Countermeasure_to_Ensure_a_Secure_Home/links/587747d508ae8fce492fb5e2/Developing-a-Multi-Platform-Countermeasure-to-Ensure-a-Secure-Home.pdf
- Description: This research proposes an investigation into the side channel analysis attacks against the AES algorithm on high powered devices. Currently the research field into this aspect is fairly new and there is room for more information to be discovered. This research proposes using a Raspberry Pi in conjunction with a Software Defined Radio to capture electromagnetic emanations in the low and high frequency domains. Two well-known side channel attacks will be used to recover the secret information based on the electromagnetic emanations. Furthermore, this research proposes investigating into a possible software countermeasure by using the high-powered devices features such as multi-threading.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427772 , vital:72461 , https://www.researchgate.net/profile/Ibraheem-Fries-laar/publication/312219190_Developing_a_Multi_Platform_Countermeasure_to_Ensure_a_Secure_Home/links/587747d508ae8fce492fb5e2/Developing-a-Multi-Platform-Countermeasure-to-Ensure-a-Secure-Home.pdf
- Description: This research proposes an investigation into the side channel analysis attacks against the AES algorithm on high powered devices. Currently the research field into this aspect is fairly new and there is room for more information to be discovered. This research proposes using a Raspberry Pi in conjunction with a Software Defined Radio to capture electromagnetic emanations in the low and high frequency domains. Two well-known side channel attacks will be used to recover the secret information based on the electromagnetic emanations. Furthermore, this research proposes investigating into a possible software countermeasure by using the high-powered devices features such as multi-threading.
- Full Text:
- Date Issued: 2016
Dridex: Analysis of the traffic and automatic generation of IOCs
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429525 , vital:72619 , https://ieeexplore.ieee.org/abstract/document/7802932
- Description: In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429525 , vital:72619 , https://ieeexplore.ieee.org/abstract/document/7802932
- Description: In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.
- Full Text:
- Date Issued: 2016
Evaluating the multi-threading countermeasure
- Frieslaar, Ibrahim, Irwin, Barry V W
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428352 , vital:72505 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9041/Frieslaar_2016.pdf?sequence=1andisAllowed=y
- Description: This research investigates the resistance of the multi-threaded coun-termeasure to side channel analysis (SCA) attacks. The multi-threaded countermeasure is attacked using the Correlation Power Analysis (CPA) and template attacks. Additionally, it is compared to the existing hiding countermeasure. Furthermore, additional signal processing techniques are used to increase the attack success ratio. It is demon-strated that the multi-threaded countermeasure is able to outperform the existing countermeasures by withstanding the CPA and template at-tacks. Furthermore, the multi-threaded countermeasure is unaffected by the elastic alignment and filtering techniques as opposed to the existing countermeasures. The research concludes that the multithreaded coun-termeasure is indeed a secure implementation to mitigate SCA attacks.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428352 , vital:72505 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9041/Frieslaar_2016.pdf?sequence=1andisAllowed=y
- Description: This research investigates the resistance of the multi-threaded coun-termeasure to side channel analysis (SCA) attacks. The multi-threaded countermeasure is attacked using the Correlation Power Analysis (CPA) and template attacks. Additionally, it is compared to the existing hiding countermeasure. Furthermore, additional signal processing techniques are used to increase the attack success ratio. It is demon-strated that the multi-threaded countermeasure is able to outperform the existing countermeasures by withstanding the CPA and template at-tacks. Furthermore, the multi-threaded countermeasure is unaffected by the elastic alignment and filtering techniques as opposed to the existing countermeasures. The research concludes that the multithreaded coun-termeasure is indeed a secure implementation to mitigate SCA attacks.
- Full Text:
- Date Issued: 2016
Improving Fidelity in Internet Simulation through Packet Injection
- Koorn, Craig, Irwin, Barry V W, Herbert, Alan
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
Investigating multi-thread utilization as a software defence mechanism against side channel attacks
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430190 , vital:72672 , https://doi.org/10.1145/3015166.3015176
- Description: A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430190 , vital:72672 , https://doi.org/10.1145/3015166.3015176
- Description: A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
- Full Text:
- Date Issued: 2016
Sha-1 and the strict avalanche criterion
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429010 , vital:72553 , https://ieeexplore.ieee.org/abstract/document/7802926
- Description: The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
- Full Text:
- Date Issued: 2016
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429010 , vital:72553 , https://ieeexplore.ieee.org/abstract/document/7802926
- Description: The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
- Full Text:
- Date Issued: 2016
The pattern-richness of graphical passwords
- Vorster, Johannes, Van Heerden, Renier, Irwin, Barry V W
- Authors: Vorster, Johannes , Van Heerden, Renier , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/68322 , vital:29238 , https://doi.org/10.1109/ISSA.2016.7802931
- Description: Publisher version , Conventional (text-based) passwords have shown patterns such as variations on the username, or known passwords such as “password”, “admin” or “12345”. Patterns may similarly be detected in the use of Graphical passwords (GPs). The most significant such pattern - reported by many researchers - is hotspot clustering. This paper qualitatively analyses more than 200 graphical passwords for patterns other than the classically reported hotspots. The qualitative analysis finds that a significant percentage of passwords fall into a small set of patterns; patterns that can be used to form attack models against GPs. In counter action, these patterns can also be used to educate users so that future password selection is more secure. It is the hope that the outcome from this research will lead to improved behaviour and an enhancement in graphical password security.
- Full Text: false
- Date Issued: 2016
- Authors: Vorster, Johannes , Van Heerden, Renier , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/68322 , vital:29238 , https://doi.org/10.1109/ISSA.2016.7802931
- Description: Publisher version , Conventional (text-based) passwords have shown patterns such as variations on the username, or known passwords such as “password”, “admin” or “12345”. Patterns may similarly be detected in the use of Graphical passwords (GPs). The most significant such pattern - reported by many researchers - is hotspot clustering. This paper qualitatively analyses more than 200 graphical passwords for patterns other than the classically reported hotspots. The qualitative analysis finds that a significant percentage of passwords fall into a small set of patterns; patterns that can be used to form attack models against GPs. In counter action, these patterns can also be used to educate users so that future password selection is more secure. It is the hope that the outcome from this research will lead to improved behaviour and an enhancement in graphical password security.
- Full Text: false
- Date Issued: 2016
Towards malicious network activity mitigation through subnet reputation analysis
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427799 , vital:72463 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622788_Towards_Malicious_Network_Activity_Mitigation_through_Subnet_Reputation_Analysis/links/5b9a1a88458515310583fda6/Towards-Malicious-Network-Activity-Mitigation-through-Subnet-Reputation-Analysis.pdf
- Description: Analysis technologies that focus on partial packet rather than full packet analysis have shown promise in detection of malicious activity on net-works. NetFlow is one such emergent protocol that is used to log net-work flows through summarizing key features of them. These logs can then be exported to external NetFlow sinks and proper configuration can see effective bandwidth bottleneck mitigation occurring on net-works. Furthermore, each NetFlow source node is configurable with its own unique ID number. This feature enables a system that knows where a NetFlow source node ID number resides physically to say which network flows are occurring from which physical locations irre-spective of the IP addresses involved in these network flows.
- Full Text:
- Date Issued: 2016
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427799 , vital:72463 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622788_Towards_Malicious_Network_Activity_Mitigation_through_Subnet_Reputation_Analysis/links/5b9a1a88458515310583fda6/Towards-Malicious-Network-Activity-Mitigation-through-Subnet-Reputation-Analysis.pdf
- Description: Analysis technologies that focus on partial packet rather than full packet analysis have shown promise in detection of malicious activity on net-works. NetFlow is one such emergent protocol that is used to log net-work flows through summarizing key features of them. These logs can then be exported to external NetFlow sinks and proper configuration can see effective bandwidth bottleneck mitigation occurring on net-works. Furthermore, each NetFlow source node is configurable with its own unique ID number. This feature enables a system that knows where a NetFlow source node ID number resides physically to say which network flows are occurring from which physical locations irre-spective of the IP addresses involved in these network flows.
- Full Text:
- Date Issued: 2016
- «
- ‹
- 1
- ›
- »