Investigating the utilization of the secure hash algorithm to generate electromagnetic noise
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430222 , vital:72674 , https://doi.org/10.1145/3163080.3163089
- Description: This research introduces an electromagnetic (EM) noise generator known as the FRIES noise generator to mitigate and obfuscate Side Channel Analysis (SCA) attacks against a Raspberry Pi. The FRIES noise generator utilizes the implementation of the Secure Hash Algorithm (SHA) from OpenSSL to generate white noise within the EM spectrum. This research further contributes to the body of knowledge by demonstrating that the SHA implementation of libcrypto++ and OpenSSL had different EM signatures. It was further revealed that as a more secure implementation of the SHA was executed additional data lines were used, resulting in increased EM emissions. It was demonstrated that the OpenSSL implementations of the SHA was more optimized as opposed to the libcrypto++ implementation by utilizing less resources and not leaving the device in a bottleneck. The FRIES daemon added noise to the EM leakage which prevents the visual location of the AES-128 cryptographic implementation. Finally, the cross-correlation test demonstrated that the EM features of the AES-128 algorithm was not detected within the FRIES noise.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430222 , vital:72674 , https://doi.org/10.1145/3163080.3163089
- Description: This research introduces an electromagnetic (EM) noise generator known as the FRIES noise generator to mitigate and obfuscate Side Channel Analysis (SCA) attacks against a Raspberry Pi. The FRIES noise generator utilizes the implementation of the Secure Hash Algorithm (SHA) from OpenSSL to generate white noise within the EM spectrum. This research further contributes to the body of knowledge by demonstrating that the SHA implementation of libcrypto++ and OpenSSL had different EM signatures. It was further revealed that as a more secure implementation of the SHA was executed additional data lines were used, resulting in increased EM emissions. It was demonstrated that the OpenSSL implementations of the SHA was more optimized as opposed to the libcrypto++ implementation by utilizing less resources and not leaving the device in a bottleneck. The FRIES daemon added noise to the EM leakage which prevents the visual location of the AES-128 cryptographic implementation. Finally, the cross-correlation test demonstrated that the EM features of the AES-128 algorithm was not detected within the FRIES noise.
- Full Text:
- Date Issued: 2017
JSON schema for attribute-based access control for network resource security
- Linklater, Gregory, Smith, Christian, Connan, James, Herbert, Alan, Irwin, Barry V W
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
Recovering AES-128 encryption keys from a Raspberry Pi
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427740 , vital:72459 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full encryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427740 , vital:72459 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full encryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
Recovering AES-128 encryption keys from a Raspberry Pi
- Frieslaar, Ibrahim, Irwin, Barry V W
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428383 , vital:72507 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full en-cryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428383 , vital:72507 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full en-cryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
SHA-1, SAT-solving, and CNF
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428408 , vital:72509 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9692/Motara_19661_2017.pdf?sequence=1andisAllowed=y
- Description: Finding a preimage for a SHA-1 hash is, at present, a computationally intractable problem. SAT-solvers have been useful tools for handling such problems and can often, through heuristics, generate acceptable solutions. This research examines the intersection between the SHA-1 preimage problem, the encoding of that problem for SAT-solving, and SAT-solving. The results demonstrate that SAT-solving is not yet a viable approach to take to solve the preimage problem, and also indicate that some of the intuitions about “good” problem encodings in the literature are likely to be incorrect.
- Full Text:
- Date Issued: 2017
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428408 , vital:72509 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9692/Motara_19661_2017.pdf?sequence=1andisAllowed=y
- Description: Finding a preimage for a SHA-1 hash is, at present, a computationally intractable problem. SAT-solvers have been useful tools for handling such problems and can often, through heuristics, generate acceptable solutions. This research examines the intersection between the SHA-1 preimage problem, the encoding of that problem for SAT-solving, and SAT-solving. The results demonstrate that SAT-solving is not yet a viable approach to take to solve the preimage problem, and also indicate that some of the intuitions about “good” problem encodings in the literature are likely to be incorrect.
- Full Text:
- Date Issued: 2017
Weems: An extensible HTTP honeypot
- Pearson, Deon, Irwin, Barry V W, Herbert, Alan
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
A multi-threading approach to secure VERIFYPIN
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429244 , vital:72570 , https://ieeexplore.ieee.org/abstract/document/7802952
- Description: This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations along side a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the pro-gram. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
- Full Text:
- Date Issued: 2016
A sharing platform for Indicators of Compromise
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
Adaptable exploit detection through scalable netflow analysis
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429274 , vital:72572 , https://ieeexplore.ieee.org/abstract/document/7802938
- Description: Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.
- Full Text:
- Date Issued: 2016
An overview of linux container based network emulation
- Peach, Schalk, Irwin, Barry V W, van Heerden, Renier
- Authors: Peach, Schalk , Irwin, Barry V W , van Heerden, Renier
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430095 , vital:72665 , https://www.proceedings.com/30838.html
- Description: The objective of this paper is to assess the current state of Container-Based Emulator implementations on the Linux platform. Through a nar-rative overview, a selection of open source Container-Based emulators are analysed to collect information regarding the technologies used to construct them to assess the current state of this emerging technology. Container-Based Emulators allows the creation of small emulated net-works on commodity hardware through the use of kernel level virtualiza-tion techniques, also referred to as containerisation. Container-Based Emulators act as a management tool to control containers and the ap-plications that execute within them. The ability of Container Based Emu-lators to create repeatable and controllable test networks makes it ideal for use as training and experimentation tools in the information security and network management fields. Due to the ease of use and low hard-ware requirements, the tools present a low cost alternative to other forms of network experimentation platforms. Through a review of cur-rent literature and source code, the current state of Container-Based Emulators is assessed.
- Full Text:
- Date Issued: 2016
- Authors: Peach, Schalk , Irwin, Barry V W , van Heerden, Renier
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430095 , vital:72665 , https://www.proceedings.com/30838.html
- Description: The objective of this paper is to assess the current state of Container-Based Emulator implementations on the Linux platform. Through a nar-rative overview, a selection of open source Container-Based emulators are analysed to collect information regarding the technologies used to construct them to assess the current state of this emerging technology. Container-Based Emulators allows the creation of small emulated net-works on commodity hardware through the use of kernel level virtualiza-tion techniques, also referred to as containerisation. Container-Based Emulators act as a management tool to control containers and the ap-plications that execute within them. The ability of Container Based Emu-lators to create repeatable and controllable test networks makes it ideal for use as training and experimentation tools in the information security and network management fields. Due to the ease of use and low hard-ware requirements, the tools present a low cost alternative to other forms of network experimentation platforms. Through a review of cur-rent literature and source code, the current state of Container-Based Emulators is assessed.
- Full Text:
- Date Issued: 2016
Characterization and Analysis of NTP Amplifier Traffic
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429482 , vital:72616 , 10.23919/SAIEE.2016.8531542
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to find the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429482 , vital:72616 , 10.23919/SAIEE.2016.8531542
- Description: Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-Live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values are then analysed as a whole to find the total number used throughout each attack. The most frequent TTL values are then found and show that the majority of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting. The paper discusses our work with two brief case studies correlating observed data to real-world attacks, and the observable impact thereof.
- Full Text:
- Date Issued: 2016
Design of a Configurable Embedded Network Tap Flow Generation using NetFlow v9 and IPFIX Formats
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
Detecting derivative malware samples using deobfuscation-assisted similarity analysis
- Wrench, Peter, Irwin, Barry V W
- Authors: Wrench, Peter , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429494 , vital:72617 , 10.23919/SAIEE.2016.8531543
- Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
- Full Text:
- Date Issued: 2016
- Authors: Wrench, Peter , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429494 , vital:72617 , 10.23919/SAIEE.2016.8531543
- Description: The abundance of PHP-based Remote Access Trojans (or web shells) found in the wild has led malware researchers to develop systems capable of tracking and analysing these shells. In the past, such shells were ably classified using signature matching, a process that is currently unable to cope with the sheer volume and variety of web-based malware in circulation. Although a large percentage of newly-created webshell software incorporates portions of code derived from seminal shells such as c99 and r57, they are able to disguise this by making extensive use of obfuscation techniques intended to frustrate any attempts to dissect or reverse engineer the code. This paper presents an approach to shell classification and analysis (based on similarity to a body of known malware) in an attempt to create a comprehensive taxonomy of PHP-based web shells. Several different measures of similarity were used in conjunction with clustering algorithms and visualisation techniques in order to achieve this. Furthermore, an auxiliary component capable of syntactically deobfuscating PHP code is described. This was employed to reverse idiomatic obfuscation constructs used by software authors. It was found that this deobfuscation dramatically increased the observed levels of similarity by exposing additional code for analysis.
- Full Text:
- Date Issued: 2016
Developing a Multi Platform Countermeasure to Ensure a Secure Home
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427772 , vital:72461 , https://www.researchgate.net/profile/Ibraheem-Fries-laar/publication/312219190_Developing_a_Multi_Platform_Countermeasure_to_Ensure_a_Secure_Home/links/587747d508ae8fce492fb5e2/Developing-a-Multi-Platform-Countermeasure-to-Ensure-a-Secure-Home.pdf
- Description: This research proposes an investigation into the side channel analysis attacks against the AES algorithm on high powered devices. Currently the research field into this aspect is fairly new and there is room for more information to be discovered. This research proposes using a Raspberry Pi in conjunction with a Software Defined Radio to capture electromagnetic emanations in the low and high frequency domains. Two well-known side channel attacks will be used to recover the secret information based on the electromagnetic emanations. Furthermore, this research proposes investigating into a possible software countermeasure by using the high-powered devices features such as multi-threading.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427772 , vital:72461 , https://www.researchgate.net/profile/Ibraheem-Fries-laar/publication/312219190_Developing_a_Multi_Platform_Countermeasure_to_Ensure_a_Secure_Home/links/587747d508ae8fce492fb5e2/Developing-a-Multi-Platform-Countermeasure-to-Ensure-a-Secure-Home.pdf
- Description: This research proposes an investigation into the side channel analysis attacks against the AES algorithm on high powered devices. Currently the research field into this aspect is fairly new and there is room for more information to be discovered. This research proposes using a Raspberry Pi in conjunction with a Software Defined Radio to capture electromagnetic emanations in the low and high frequency domains. Two well-known side channel attacks will be used to recover the secret information based on the electromagnetic emanations. Furthermore, this research proposes investigating into a possible software countermeasure by using the high-powered devices features such as multi-threading.
- Full Text:
- Date Issued: 2016
Dridex: Analysis of the traffic and automatic generation of IOCs
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429525 , vital:72619 , https://ieeexplore.ieee.org/abstract/document/7802932
- Description: In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429525 , vital:72619 , https://ieeexplore.ieee.org/abstract/document/7802932
- Description: In this paper we present a framework that generates network Indicators of Compromise (IOC) automatically from a malware sample after dynamic runtime analysis. The framework addresses the limitations of manual Indicator of Compromise generation and utilises sandbox environment to perform the malware analysis in. We focus on the generation of network based IOCs from captured traffic files (PCAPs) generated by the dynamic malware analysis. The Cuckoo Sandbox environment is used for the analysis and the setup is described in detail. Accordingly, we discuss the concept of IOCs and the popular formats used as there is currently no standard. As an example of how the proof-of-concept framework can be used, we chose 100 Dridex malware samples and evaluated the traffic and showed what can be used for the generation of network-based IOCs. Results of our system confirm that we can create IOCs from dynamic malware analysis and avoid the legitimate background traffic originating from the sandbox system. We also briefly discuss the sharing of, and application of the generated IOCs and the number of systems that can be used to share them. Lastly we discuss how they can be useful in combating cyber threats.
- Full Text:
- Date Issued: 2016
Evaluating the multi-threading countermeasure
- Frieslaar, Ibrahim, Irwin, Barry V W
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428352 , vital:72505 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9041/Frieslaar_2016.pdf?sequence=1andisAllowed=y
- Description: This research investigates the resistance of the multi-threaded coun-termeasure to side channel analysis (SCA) attacks. The multi-threaded countermeasure is attacked using the Correlation Power Analysis (CPA) and template attacks. Additionally, it is compared to the existing hiding countermeasure. Furthermore, additional signal processing techniques are used to increase the attack success ratio. It is demon-strated that the multi-threaded countermeasure is able to outperform the existing countermeasures by withstanding the CPA and template at-tacks. Furthermore, the multi-threaded countermeasure is unaffected by the elastic alignment and filtering techniques as opposed to the existing countermeasures. The research concludes that the multithreaded coun-termeasure is indeed a secure implementation to mitigate SCA attacks.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibrahim , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428352 , vital:72505 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9041/Frieslaar_2016.pdf?sequence=1andisAllowed=y
- Description: This research investigates the resistance of the multi-threaded coun-termeasure to side channel analysis (SCA) attacks. The multi-threaded countermeasure is attacked using the Correlation Power Analysis (CPA) and template attacks. Additionally, it is compared to the existing hiding countermeasure. Furthermore, additional signal processing techniques are used to increase the attack success ratio. It is demon-strated that the multi-threaded countermeasure is able to outperform the existing countermeasures by withstanding the CPA and template at-tacks. Furthermore, the multi-threaded countermeasure is unaffected by the elastic alignment and filtering techniques as opposed to the existing countermeasures. The research concludes that the multithreaded coun-termeasure is indeed a secure implementation to mitigate SCA attacks.
- Full Text:
- Date Issued: 2016
Improving Fidelity in Internet Simulation through Packet Injection
- Koorn, Craig, Irwin, Barry V W, Herbert, Alan
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
- Authors: Koorn, Craig , Irwin, Barry V W , Herbert, Alan
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427786 , vital:72462 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622877_Improving_Fidelity_in_Internet_Simulation_through_Packet_Injection/links/5b9a1a47458515310583fd8a/Improving-Fidelity-in-Internet-Simulation-through-Packet-Injection.pdf
- Description: This paper describes the of extension implemented to the NKM Internet simulation system, which allows for the improved of injection of packet traffic at arbitrary nodes, and the replay of previously recorded streams. The latter function allows for the relatively easy implementation of Internet Background Radiation (IBR) within the simulated portion of the Internet. This feature thereby enhances the degree of realism of the simulation, and allows for certain pre-determined traffic, such as scanning activity, to be injected and observed by client systems connected to the simulator.
- Full Text:
- Date Issued: 2016
Investigating multi-thread utilization as a software defence mechanism against side channel attacks
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430190 , vital:72672 , https://doi.org/10.1145/3015166.3015176
- Description: A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
- Full Text:
- Date Issued: 2016
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2016
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430190 , vital:72672 , https://doi.org/10.1145/3015166.3015176
- Description: A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
- Full Text:
- Date Issued: 2016
Sha-1 and the strict avalanche criterion
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429010 , vital:72553 , https://ieeexplore.ieee.org/abstract/document/7802926
- Description: The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
- Full Text:
- Date Issued: 2016
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429010 , vital:72553 , https://ieeexplore.ieee.org/abstract/document/7802926
- Description: The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
- Full Text:
- Date Issued: 2016
The pattern-richness of graphical passwords
- Vorster, Johannes, Van Heerden, Renier, Irwin, Barry V W
- Authors: Vorster, Johannes , Van Heerden, Renier , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/68322 , vital:29238 , https://doi.org/10.1109/ISSA.2016.7802931
- Description: Publisher version , Conventional (text-based) passwords have shown patterns such as variations on the username, or known passwords such as “password”, “admin” or “12345”. Patterns may similarly be detected in the use of Graphical passwords (GPs). The most significant such pattern - reported by many researchers - is hotspot clustering. This paper qualitatively analyses more than 200 graphical passwords for patterns other than the classically reported hotspots. The qualitative analysis finds that a significant percentage of passwords fall into a small set of patterns; patterns that can be used to form attack models against GPs. In counter action, these patterns can also be used to educate users so that future password selection is more secure. It is the hope that the outcome from this research will lead to improved behaviour and an enhancement in graphical password security.
- Full Text: false
- Date Issued: 2016
- Authors: Vorster, Johannes , Van Heerden, Renier , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/68322 , vital:29238 , https://doi.org/10.1109/ISSA.2016.7802931
- Description: Publisher version , Conventional (text-based) passwords have shown patterns such as variations on the username, or known passwords such as “password”, “admin” or “12345”. Patterns may similarly be detected in the use of Graphical passwords (GPs). The most significant such pattern - reported by many researchers - is hotspot clustering. This paper qualitatively analyses more than 200 graphical passwords for patterns other than the classically reported hotspots. The qualitative analysis finds that a significant percentage of passwords fall into a small set of patterns; patterns that can be used to form attack models against GPs. In counter action, these patterns can also be used to educate users so that future password selection is more secure. It is the hope that the outcome from this research will lead to improved behaviour and an enhancement in graphical password security.
- Full Text: false
- Date Issued: 2016