A Baseline Numeric Analysis of Network Telescope Data for Network Incident Discovery
- Cowie, Bradley, Irwin, Barry V W
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427971 , vital:72477 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: This paper investigates the value of Network Telescope data as a mechanism for network incident discovery by considering data summa-rization, simple heuristic identification and deviations from previously observed traffic distributions. It is important to note that the traffic ob-served is obtained from a Network Telescope and thus does not expe-rience the same fluctuations or vagaries experienced by normal traffic. The datasets used for this analysis were obtained from a Network Tele-scope for the time period August 2005 to September 2009 which had been allocated a Class-C network address block at Rhodes University. The nature of the datasets were considered in terms of simple statistical measures obtained through data summarization which greatly reduced the processing and observation required to determine whether an inci-dent had occurred. However, this raised issues relating to the time in-terval used for identification of an incident. A brief discussion into statis-tical summaries of Network Telescope data as" good" security metrics is provided. The summaries derived were then used to seek for signs of anomalous network activity. Anomalous activity detected was then rec-onciled by considering incidents that had occurred in the same or simi-lar time interval. Incidents identified included Conficker, Win32. RinBot, DDoS and Norton Netware vulnerabilities. Detection techniques includ-ed identification of rapid growth in packet count, packet size deviations, changes in the composition of the traffic expressed as a ratio of its constituents and changes in the modality of the data. Discussion into the appropriateness of this sort of manual analysis is provided and suggestions towards an automated solution are discussed.
- Full Text:
- Date Issued: 2011
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427971 , vital:72477 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: This paper investigates the value of Network Telescope data as a mechanism for network incident discovery by considering data summa-rization, simple heuristic identification and deviations from previously observed traffic distributions. It is important to note that the traffic ob-served is obtained from a Network Telescope and thus does not expe-rience the same fluctuations or vagaries experienced by normal traffic. The datasets used for this analysis were obtained from a Network Tele-scope for the time period August 2005 to September 2009 which had been allocated a Class-C network address block at Rhodes University. The nature of the datasets were considered in terms of simple statistical measures obtained through data summarization which greatly reduced the processing and observation required to determine whether an inci-dent had occurred. However, this raised issues relating to the time in-terval used for identification of an incident. A brief discussion into statis-tical summaries of Network Telescope data as" good" security metrics is provided. The summaries derived were then used to seek for signs of anomalous network activity. Anomalous activity detected was then rec-onciled by considering incidents that had occurred in the same or simi-lar time interval. Incidents identified included Conficker, Win32. RinBot, DDoS and Norton Netware vulnerabilities. Detection techniques includ-ed identification of rapid growth in packet count, packet size deviations, changes in the composition of the traffic expressed as a ratio of its constituents and changes in the modality of the data. Discussion into the appropriateness of this sort of manual analysis is provided and suggestions towards an automated solution are discussed.
- Full Text:
- Date Issued: 2011
A netFlow scoring framework for incident detection
- Sweeney, Michael, Irwin, Barry V W
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
A novel technique for artificial pack formation in African wild dogs using odour familiarity:
- Marneweck, Courtney J, Marchal, Antoine F J, Marneweck, David G, Beverley, Grant, Davies-Mostert, Harriet T, Parker, Daniel M
- Authors: Marneweck, Courtney J , Marchal, Antoine F J , Marneweck, David G , Beverley, Grant , Davies-Mostert, Harriet T , Parker, Daniel M
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/150060 , vital:38935 , https://doi.org/10.3957/056.049.0116
- Description: Reintroductions are recognized tools for species recovery. However, operations are costly, difficult to implement, and failures are common and not always understood. Their success for group-living species depends on the mimicry of natural processes that promote social integration. Due to fragmented landscapes, human mediated (i.e. artificial) group formation is often required.
- Full Text:
- Date Issued: 2019
- Authors: Marneweck, Courtney J , Marchal, Antoine F J , Marneweck, David G , Beverley, Grant , Davies-Mostert, Harriet T , Parker, Daniel M
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/150060 , vital:38935 , https://doi.org/10.3957/056.049.0116
- Description: Reintroductions are recognized tools for species recovery. However, operations are costly, difficult to implement, and failures are common and not always understood. Their success for group-living species depends on the mimicry of natural processes that promote social integration. Due to fragmented landscapes, human mediated (i.e. artificial) group formation is often required.
- Full Text:
- Date Issued: 2019
A re-evaluation of morphological differences in the Karoo Thrush Turdus smithi–Olive Thrush Turdus olivaceus species complex
- Wilson, J W, Symes, C T, Brown, M, Bonnevie, Bo T, de Swardt, D H, Hanmer, D
- Authors: Wilson, J W , Symes, C T , Brown, M , Bonnevie, Bo T , de Swardt, D H , Hanmer, D
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/447680 , vital:74666 , https://doi.org/10.2989/OSTRICH.2009.80.3.7.970
- Description: There is confusion in the literature concerning the taxonomic status of the Turdus smithi—T. olivaceus species complex. Here we attempt to clarify morphological differences within this complex. In addition, we attempt to clarify identification of the respective taxa. Although mean measurements of morphometric features differed significantly between species and subspecies, these features are not useful in separating species or subspecies due to considerable overlap in measurements. Furthermore, there were often larger differences between subspecies of T. olivaceus (particularly the geographically isolated T. o. swynnertoni) than between T. olivaceus and T. smithi. We therefore suggest that further work investigates the elevation of T. o. swynnertoni to full species status. Plumage characteristics proved more useful in separating T. olivaceus and T. smithi in the field, except in regions where the distributions overlap (potential hybridisation zones). We highlight the importance of clarifying the delineation of separate species particularly with respect to bird census data (e.g. Southern African Bird Atlas Project 2) and studies related to these species.
- Full Text:
- Date Issued: 2009
- Authors: Wilson, J W , Symes, C T , Brown, M , Bonnevie, Bo T , de Swardt, D H , Hanmer, D
- Date: 2009
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/447680 , vital:74666 , https://doi.org/10.2989/OSTRICH.2009.80.3.7.970
- Description: There is confusion in the literature concerning the taxonomic status of the Turdus smithi—T. olivaceus species complex. Here we attempt to clarify morphological differences within this complex. In addition, we attempt to clarify identification of the respective taxa. Although mean measurements of morphometric features differed significantly between species and subspecies, these features are not useful in separating species or subspecies due to considerable overlap in measurements. Furthermore, there were often larger differences between subspecies of T. olivaceus (particularly the geographically isolated T. o. swynnertoni) than between T. olivaceus and T. smithi. We therefore suggest that further work investigates the elevation of T. o. swynnertoni to full species status. Plumage characteristics proved more useful in separating T. olivaceus and T. smithi in the field, except in regions where the distributions overlap (potential hybridisation zones). We highlight the importance of clarifying the delineation of separate species particularly with respect to bird census data (e.g. Southern African Bird Atlas Project 2) and studies related to these species.
- Full Text:
- Date Issued: 2009
A review of current DNS TTL practices
- Van Zyl, Ignus, Rudman, Lauren, Irwin, Barry V W
- Authors: Van Zyl, Ignus , Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427813 , vital:72464 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622760_A_review_of_current_DNS_TTL_practices/links/5b9a16e292851c4ba8181b7f/A-review-of-current-DNS-TTL-practices.pdf
- Description: This paper provides insight into legitimate DNS domain Time to Live (TTL) activity captured over two live caching servers from the period January to June 2014. DNS TTL practices are identified and compared between frequently queried domains, with respect to the caching servers. A breakdown of TTL practices by Resource Record type is also given, as well as an analysis on the TTL choices of the most frequent Top Level Domains. An analysis of anomalous TTL values with respect to the gathered data is also presented.
- Full Text:
- Date Issued: 2015
- Authors: Van Zyl, Ignus , Rudman, Lauren , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427813 , vital:72464 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622760_A_review_of_current_DNS_TTL_practices/links/5b9a16e292851c4ba8181b7f/A-review-of-current-DNS-TTL-practices.pdf
- Description: This paper provides insight into legitimate DNS domain Time to Live (TTL) activity captured over two live caching servers from the period January to June 2014. DNS TTL practices are identified and compared between frequently queried domains, with respect to the caching servers. A breakdown of TTL practices by Resource Record type is also given, as well as an analysis on the TTL choices of the most frequent Top Level Domains. An analysis of anomalous TTL values with respect to the gathered data is also presented.
- Full Text:
- Date Issued: 2015
A sharing platform for Indicators of Compromise
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
A tetrapod fauna from within the Devonian Antarctic Circle
- Gess, Robert W, Ahlberg, Per Erik Ahlberg
- Authors: Gess, Robert W , Ahlberg, Per Erik Ahlberg
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/72690 , vital:30100 , https://doi.org/10.1126/science.aaq1645 , https://www.sciencemag.org/content/360/6393/1120/suppl/DC1
- Description: Until now, all known fossils of tetrapods (limbed vertebrates with digits) and near-tetrapods (such as Elpistostege, Tiktaalik, and Panderichthys) from the Devonian period have come from localities in tropical to subtropical paleolatitudes. Most are from Laurussia, a continent incorporating Europe, Greenland, and North America, with only one body fossil and one footprint locality from Australia representing the southern supercontinent Gondwana. Here we describe two previously unknown tetrapods from the Late Devonian (late Famennian) Gondwana locality of Waterloo Farm in South Africa, then located within the Antarctic Circle, which demonstrate that Devonian tetrapods were not restricted to warm environments and suggest that they may have been global in distribution.
- Full Text:
- Date Issued: 2009
- Authors: Gess, Robert W , Ahlberg, Per Erik Ahlberg
- Date: 2009
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/72690 , vital:30100 , https://doi.org/10.1126/science.aaq1645 , https://www.sciencemag.org/content/360/6393/1120/suppl/DC1
- Description: Until now, all known fossils of tetrapods (limbed vertebrates with digits) and near-tetrapods (such as Elpistostege, Tiktaalik, and Panderichthys) from the Devonian period have come from localities in tropical to subtropical paleolatitudes. Most are from Laurussia, a continent incorporating Europe, Greenland, and North America, with only one body fossil and one footprint locality from Australia representing the southern supercontinent Gondwana. Here we describe two previously unknown tetrapods from the Late Devonian (late Famennian) Gondwana locality of Waterloo Farm in South Africa, then located within the Antarctic Circle, which demonstrate that Devonian tetrapods were not restricted to warm environments and suggest that they may have been global in distribution.
- Full Text:
- Date Issued: 2009
Abstract Algebra: MAT 311
- Authors: Makamba, B B , Murali, V
- Date: 2011-06
- Language: English
- Type: Examination paper
- Identifier: vital:17606 , http://hdl.handle.net/10353/d1009981
- Description: Algebra: MAT 311, degree examination June 2011.
- Full Text: false
- Date Issued: 2011-06
- Authors: Makamba, B B , Murali, V
- Date: 2011-06
- Language: English
- Type: Examination paper
- Identifier: vital:17606 , http://hdl.handle.net/10353/d1009981
- Description: Algebra: MAT 311, degree examination June 2011.
- Full Text: false
- Date Issued: 2011-06
Academic Practice and Reasoning: APR 122
- Authors: Siziba, L P , Makwela, B
- Date: 2012-02
- Subjects: English
- Language: English
- Type: Examination paper
- Identifier: vital:18235 , http://hdl.handle.net/10353/d1011227
- Description: Academic Practice and Reasoning: APR 122, degree examination February 2012.
- Full Text: false
- Date Issued: 2012-02
- Authors: Siziba, L P , Makwela, B
- Date: 2012-02
- Subjects: English
- Language: English
- Type: Examination paper
- Identifier: vital:18235 , http://hdl.handle.net/10353/d1011227
- Description: Academic Practice and Reasoning: APR 122, degree examination February 2012.
- Full Text: false
- Date Issued: 2012-02
Advanced Farm Planning and Decision Making: AGE 503
- Trollip, I R F, Kudhalande, G
- Authors: Trollip, I R F , Kudhalande, G
- Date: 2009-11
- Language: English
- Type: Examination paper
- Identifier: vital:17672 , http://hdl.handle.net/10353/d1010066
- Description: Advanced Farm Planning and Decision Making: AGE 503, honours examination November 2009.
- Full Text: false
- Date Issued: 2009-11
- Authors: Trollip, I R F , Kudhalande, G
- Date: 2009-11
- Language: English
- Type: Examination paper
- Identifier: vital:17672 , http://hdl.handle.net/10353/d1010066
- Description: Advanced Farm Planning and Decision Making: AGE 503, honours examination November 2009.
- Full Text: false
- Date Issued: 2009-11
AfrOBIS: a marine biogeographic information system for sub-Saharan Africa
- Grundlingh, M L, St Ange, U B, Bolton, John J
- Authors: Grundlingh, M L , St Ange, U B , Bolton, John J
- Date: 2007
- Language: English
- Type: Article
- Identifier: vital:7137 , http://hdl.handle.net/10962/d1011813
- Description: AfrOBIS is one of 11 global nodes of the Ocean Biogeographic Information System (OBIS), a freely accessible network of databases collating marine data in support of the Census of Marine Life.Versatile graphic products, provided by OBIS, can be used to display the data. To date, AfrOBIS has loaded about 3.2 million records of more than 23 000 species located mainly in the seas around southern Africa. This forms part of the 13.2 million records of more than 80 000 species currently stored in OBIS. Scouting for South African data has been successful, whereas locating records in other African countries has been much less so.
- Full Text:
- Date Issued: 2007
- Authors: Grundlingh, M L , St Ange, U B , Bolton, John J
- Date: 2007
- Language: English
- Type: Article
- Identifier: vital:7137 , http://hdl.handle.net/10962/d1011813
- Description: AfrOBIS is one of 11 global nodes of the Ocean Biogeographic Information System (OBIS), a freely accessible network of databases collating marine data in support of the Census of Marine Life.Versatile graphic products, provided by OBIS, can be used to display the data. To date, AfrOBIS has loaded about 3.2 million records of more than 23 000 species located mainly in the seas around southern Africa. This forms part of the 13.2 million records of more than 80 000 species currently stored in OBIS. Scouting for South African data has been successful, whereas locating records in other African countries has been much less so.
- Full Text:
- Date Issued: 2007
Agrometeorology: AGC 111 and AGC 111F
- Authors: Mutengwa, C S , Maphaha, M F
- Date: 2011-06
- Language: English
- Type: Examination paper
- Identifier: vital:17634 , http://hdl.handle.net/10353/d1010012
- Description: Agrometeorology: AGC 111 and AGC 111F, degree examination June 2011.
- Full Text: false
- Date Issued: 2011-06
- Authors: Mutengwa, C S , Maphaha, M F
- Date: 2011-06
- Language: English
- Type: Examination paper
- Identifier: vital:17634 , http://hdl.handle.net/10353/d1010012
- Description: Agrometeorology: AGC 111 and AGC 111F, degree examination June 2011.
- Full Text: false
- Date Issued: 2011-06
Agrometeorology: AGC 111 and AGC 111F
- Authors: Mutengwa, C S , Maphaha, M F
- Date: 2011-07
- Language: English
- Type: Examination paper
- Identifier: vital:17630 , http://hdl.handle.net/10353/d1010007
- Description: Agrometeorology: AGC 111 and AGC 111F, supplementary examination July 2011.
- Full Text: false
- Date Issued: 2011-07
- Authors: Mutengwa, C S , Maphaha, M F
- Date: 2011-07
- Language: English
- Type: Examination paper
- Identifier: vital:17630 , http://hdl.handle.net/10353/d1010007
- Description: Agrometeorology: AGC 111 and AGC 111F, supplementary examination July 2011.
- Full Text: false
- Date Issued: 2011-07
An analysis of automatically scaled F1 layer data over Grahamstown, South Africa
- Jacobs, Linda, Poole, Allon W V, McKinnell, Lee-Anne
- Authors: Jacobs, Linda , Poole, Allon W V , McKinnell, Lee-Anne
- Date: 2004
- Language: English
- Type: text , Article
- Identifier: vital:6808 , http://hdl.handle.net/10962/d1004194
- Description: This paper describes an analysis of automatically scaled F1 layer data over Grahamstown, South Africa (33.3°S, 26.5°E). An application for real time raytracing through the South African ionosphere was identified, and for this application real time evaluation of the electron density profile is essential. Raw real time virtual height data are provided by a Lowell Digisonde (DPS), which employs the automatic scaling software, ARTIST whose output includes the virtual-to-real height data conversion. Experience has shown that there are times when the raytracing performance is degraded because of difficulties surrounding the real time characterisation of the F1 region by ARTIST. The purpose of this investigation is to establish the extent of the problem, the times and conditions under which it occurs, with a view to formulating remedial alternative strategies, such as predictive modelling.
- Full Text:
- Date Issued: 2004
- Authors: Jacobs, Linda , Poole, Allon W V , McKinnell, Lee-Anne
- Date: 2004
- Language: English
- Type: text , Article
- Identifier: vital:6808 , http://hdl.handle.net/10962/d1004194
- Description: This paper describes an analysis of automatically scaled F1 layer data over Grahamstown, South Africa (33.3°S, 26.5°E). An application for real time raytracing through the South African ionosphere was identified, and for this application real time evaluation of the electron density profile is essential. Raw real time virtual height data are provided by a Lowell Digisonde (DPS), which employs the automatic scaling software, ARTIST whose output includes the virtual-to-real height data conversion. Experience has shown that there are times when the raytracing performance is degraded because of difficulties surrounding the real time characterisation of the F1 region by ARTIST. The purpose of this investigation is to establish the extent of the problem, the times and conditions under which it occurs, with a view to formulating remedial alternative strategies, such as predictive modelling.
- Full Text:
- Date Issued: 2004
An analysis on the re-emergence of SQL Slammer worm using network telescope data
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
An Evaluation of Text Mining Techniques in Sampling of Network Ports from IBR Traffic
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
An Evaluation of Trading Bands as Indicators for Network Telescope Datasets
- Cowie, Bradley, Irwin, Barry V W
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428013 , vital:72480 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: Large scale viral outbreaks such as Conficker, the Code Red worm and the Witty worm illustrate the importance of monitoring malevolent activity on the Internet. Careful monitoring of anomalous traffic allows organiza-tions to react appropriately and in a timely fashion to minimize economic damage. Network telescopes, a type of Internet monitor, provide ana-lysts with a way of decoupling anomalous traffic from legitimate traffic. Data from network telescopes is used by analysts to identify potential incidents by comparing recent trends with historical data. Analysis of network telescope datasets is complicated by the large quantity of data present, the number of subdivisions within the data and the uncertainty associated with received traffic. While there is considerable research being performed in the field of network telescopes little of this work is concerned with the analysis of alternative methods of incident identifi-cation. This paper considers trading bands, a subfield of technical analysis, as an approach to identifying potential Internet incidents such as worms. Trading bands construct boundaries that are used for meas-uring when certain quantities are high or low relative to recent values. This paper considers Bollinger Bands and associated Bollinger Indica-tors, Price Channels and Keltner Channels. These techniques are evaluated as indicators of malevolent activity by considering how these techniques react to incidents indentified in the captured data from a network telescope.
- Full Text:
- Date Issued: 2011
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428013 , vital:72480 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: Large scale viral outbreaks such as Conficker, the Code Red worm and the Witty worm illustrate the importance of monitoring malevolent activity on the Internet. Careful monitoring of anomalous traffic allows organiza-tions to react appropriately and in a timely fashion to minimize economic damage. Network telescopes, a type of Internet monitor, provide ana-lysts with a way of decoupling anomalous traffic from legitimate traffic. Data from network telescopes is used by analysts to identify potential incidents by comparing recent trends with historical data. Analysis of network telescope datasets is complicated by the large quantity of data present, the number of subdivisions within the data and the uncertainty associated with received traffic. While there is considerable research being performed in the field of network telescopes little of this work is concerned with the analysis of alternative methods of incident identifi-cation. This paper considers trading bands, a subfield of technical analysis, as an approach to identifying potential Internet incidents such as worms. Trading bands construct boundaries that are used for meas-uring when certain quantities are high or low relative to recent values. This paper considers Bollinger Bands and associated Bollinger Indica-tors, Price Channels and Keltner Channels. These techniques are evaluated as indicators of malevolent activity by considering how these techniques react to incidents indentified in the captured data from a network telescope.
- Full Text:
- Date Issued: 2011
An exploration of geolocation and traffic visualisation using network flows
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429597 , vital:72625 , 10.1109/ISSA.2014.6950
- Description: A network flow is a data record that represents characteristics associated with a unidirectional stream of packets transmitted between two hosts using an IP layer protocol. As a network flow only represents statistics relating to the data transferred in the stream, the effectiveness of utilizing network flows for traffic visualization to aid in cyber defense is not immediately apparent and needs further exploration. The goal of this research is to explore the use of network flows for data visualization and geolocation.
- Full Text:
- Date Issued: 2014
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2014
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/429597 , vital:72625 , 10.1109/ISSA.2014.6950
- Description: A network flow is a data record that represents characteristics associated with a unidirectional stream of packets transmitted between two hosts using an IP layer protocol. As a network flow only represents statistics relating to the data transferred in the stream, the effectiveness of utilizing network flows for traffic visualization to aid in cyber defense is not immediately apparent and needs further exploration. The goal of this research is to explore the use of network flows for data visualization and geolocation.
- Full Text:
- Date Issued: 2014
An Exploratory Framework for Extrusion Detection
- Stalmans, Etienne, Irwin, Barry V W
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2012
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428027 , vital:72481 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622736_An_Exploratory_Framework_for_Extrusion_Detection/links/5b9a12ba299bf14ad4d6a3d7/An-Exploratory-Framework-for-Extrusion-Detection.pdf
- Description: Modern network architecture allows multiple connectivity options, increasing the number of possible attack vectors. With the number of internet enabled devices constantly increasing, along with employees using these devices to access internal corporate networks, the attack surface has become too large to monitor from a single end-point. Traditional security measures have focused on securing a small number of network endpoints, by monitoring inbound con-nections and are thus blind to attack vectors such as mobile internet connections and remova-ble devices. Once an attacker has gained access to a network they are able to operate unde-tected on the internal network and exfiltrate data without hindrance. This paper proposes a framework for extrusion detection, where internal network traffic and outbound connections are monitored to detect malicious activity. The proposed framework has a tiered architecture con-sisting of prevention, detection, reaction and reporting. Each tier of the framework feeds into the subsequent tier with reporting providing a feedback mechanism to improve each tier based on the outcome of previous incidents.
- Full Text:
- Date Issued: 2012
- Authors: Stalmans, Etienne , Irwin, Barry V W
- Date: 2012
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428027 , vital:72481 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622736_An_Exploratory_Framework_for_Extrusion_Detection/links/5b9a12ba299bf14ad4d6a3d7/An-Exploratory-Framework-for-Extrusion-Detection.pdf
- Description: Modern network architecture allows multiple connectivity options, increasing the number of possible attack vectors. With the number of internet enabled devices constantly increasing, along with employees using these devices to access internal corporate networks, the attack surface has become too large to monitor from a single end-point. Traditional security measures have focused on securing a small number of network endpoints, by monitoring inbound con-nections and are thus blind to attack vectors such as mobile internet connections and remova-ble devices. Once an attacker has gained access to a network they are able to operate unde-tected on the internal network and exfiltrate data without hindrance. This paper proposes a framework for extrusion detection, where internal network traffic and outbound connections are monitored to detect malicious activity. The proposed framework has a tiered architecture con-sisting of prevention, detection, reaction and reporting. Each tier of the framework feeds into the subsequent tier with reporting providing a feedback mechanism to improve each tier based on the outcome of previous incidents.
- Full Text:
- Date Issued: 2012
An IMS subscriber location function for OpenBaton—A standards based MANO environment
- Tsietsi, Mosiuoa, Chindeka, Tapiwa C, Terzoli, Alfredo
- Authors: Tsietsi, Mosiuoa , Chindeka, Tapiwa C , Terzoli, Alfredo
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430567 , vital:72700 , 10.1109/AFRCON.2017.8095600
- Description: In the past, virtualisation, and with it the move toward the cloud, has had a strong influence on the ICT (Information Communication Technology) sector, and now seems set to revolutionise the telecommunications sector as well. The virtualisation into software artefacts of functions that would usually be deployed as hardware has come to be known as Net-work Function Virtualisation (NFV), and the European Telecommunica-tions Standards Institute (ETSI) through its MANO (Management and Orchestration) framework has outlined comprehensively how such functions could be orchestrated and managed over infrastructure such as the cloud. A set of functions of particular interest are the call session control functions (CSCFs) and HSS (Home Subscriber Server) of the IP Multimedia System (IMS) which perform signalling and authentication functions for multimedia calls in contexts such as Voice over LTE (VoLTE). IMS has enjoyed significant focus in the past from the re-search community, as such an implementation of an IMS service pack-age has been provided in an open source MANO-compliant implemen-tation called OpenBaton. While the service package provides the IMS CSCFs and HSS, it does not include a Subscriber Location Function (SLF) which provides a mapping function to map a subscriber identity to a hosting HSS. The SLF is an important element for building distributed networks that partition user data into multiple databases, and as such represents a useful inclusion to the developer community. This paper describes an extension to the OpenBaton service package that in-cludes an SLF for partitioning large user populations across multiple HSSes and resolving individual addresses in real-time.
- Full Text:
- Date Issued: 2017
- Authors: Tsietsi, Mosiuoa , Chindeka, Tapiwa C , Terzoli, Alfredo
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430567 , vital:72700 , 10.1109/AFRCON.2017.8095600
- Description: In the past, virtualisation, and with it the move toward the cloud, has had a strong influence on the ICT (Information Communication Technology) sector, and now seems set to revolutionise the telecommunications sector as well. The virtualisation into software artefacts of functions that would usually be deployed as hardware has come to be known as Net-work Function Virtualisation (NFV), and the European Telecommunica-tions Standards Institute (ETSI) through its MANO (Management and Orchestration) framework has outlined comprehensively how such functions could be orchestrated and managed over infrastructure such as the cloud. A set of functions of particular interest are the call session control functions (CSCFs) and HSS (Home Subscriber Server) of the IP Multimedia System (IMS) which perform signalling and authentication functions for multimedia calls in contexts such as Voice over LTE (VoLTE). IMS has enjoyed significant focus in the past from the re-search community, as such an implementation of an IMS service pack-age has been provided in an open source MANO-compliant implemen-tation called OpenBaton. While the service package provides the IMS CSCFs and HSS, it does not include a Subscriber Location Function (SLF) which provides a mapping function to map a subscriber identity to a hosting HSS. The SLF is an important element for building distributed networks that partition user data into multiple databases, and as such represents a useful inclusion to the developer community. This paper describes an extension to the OpenBaton service package that in-cludes an SLF for partitioning large user populations across multiple HSSes and resolving individual addresses in real-time.
- Full Text:
- Date Issued: 2017