An Evaluation Of Scan-Detection Algorithms In Network Intrusion Detection Systems
- Barnett, Richard J, Irwin, Barry V W
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
- Date Issued: 2008
- Authors: Barnett, Richard J , Irwin, Barry V W
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428701 , vital:72530 , https://digifors.cs.up.ac.za/issa/2008/Proceedings/Research/29.pdf
- Description: Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro's scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro. This paper highlights current research into the improvement of these scan detection algorithms and presents insight into how this re-search is being conducted at Rhodes University. This research will im-prove on the scan detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.
- Full Text:
- Date Issued: 2008
Spam Construction Trends
- Irwin, Barry V W, Friedman, Blake
- Authors: Irwin, Barry V W , Friedman, Blake
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428762 , vital:72534 , https://www.researchgate.net/profile/Barry-Ir-win/publication/220803159_Spam_Construction_Trends/links/53fc76bd0cf2dca8ffff22fb/Spam-Construction-Trends.pdf
- Description: This paper replicates and extends Observed Trends in Spam Construction Tech-niques: A Case Study of Spam Evolution. A corpus of 169,274 spam email was col-lected over a period of five years. Each spam email was tested for construction techniques using SpamAssassin’s spamicity tests. The results of these tests were col-lected in a database. Formal definitions of Pu and Webb’s co-existence, extinction and complex trends were developed and applied to the results within the database. A comparison of the Spam Evolution Study and this paper’s results took place to de-termine the relevance of the trends. A geolocation analysis was conducted on the corpus, as an extension, to determine the major geographic sources of the corpus.
- Full Text:
- Date Issued: 2008
- Authors: Irwin, Barry V W , Friedman, Blake
- Date: 2008
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428762 , vital:72534 , https://www.researchgate.net/profile/Barry-Ir-win/publication/220803159_Spam_Construction_Trends/links/53fc76bd0cf2dca8ffff22fb/Spam-Construction-Trends.pdf
- Description: This paper replicates and extends Observed Trends in Spam Construction Tech-niques: A Case Study of Spam Evolution. A corpus of 169,274 spam email was col-lected over a period of five years. Each spam email was tested for construction techniques using SpamAssassin’s spamicity tests. The results of these tests were col-lected in a database. Formal definitions of Pu and Webb’s co-existence, extinction and complex trends were developed and applied to the results within the database. A comparison of the Spam Evolution Study and this paper’s results took place to de-termine the relevance of the trends. A geolocation analysis was conducted on the corpus, as an extension, to determine the major geographic sources of the corpus.
- Full Text:
- Date Issued: 2008
Identifying and Investigating Intrusive Scanning Patterns by Visualizing Network Telescope Traffic in a 3-D Scatter-plot
- van Riel, Jean-Pierre, Irwin, Barry V W
- Authors: van Riel, Jean-Pierre , Irwin, Barry V W
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428719 , vital:72531 , https://citeseerx.ist.psu.edu/document?repid=rep1type=pdfanddoi=aeb0738f0e53a8c9f407fee7e55c852643f2644c
- Description: Detecting and investigating intrusive Internet activity is an ever-present challenge for network administrators and security researchers. Network monitoring can generate large, unmanageable amounts of log data, which further complicates distinguishing between illegitimate and legiti-mate traffic. Considering the above issue, this article has two aims. First, it describes an investigative methodology for network monitoring and traffic review; and second, it discusses results from applying this meth-od. The method entails a combination of network telescope traffic cap-ture and visualisation. Observing traffic from the perspective of a dedi-cated sensor network reduces the volume of data and alleviates the concern of confusing malicious traffic with legitimate traffic. Compliment-ing this, visual analysis facilitates the rapid review and correlation of events, thereby utilizing human intelligence in the identification of scan-ning patterns. To demonstrate the proposed method, several months of network telescope traffic is captured and analysed with a tailor made 3D scatter-plot visualisation. As the results show, the visualisation saliently conveys anomalous patterns, and further analysis reveals that these patterns are indicative of covert network probing activity. By incorporat-ing visual analysis with traditional approaches, such as textual log re-view and the use of an intrusion detection system, this research contrib-utes improved insight into network scanning incidents.
- Full Text:
- Date Issued: 2006
- Authors: van Riel, Jean-Pierre , Irwin, Barry V W
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428719 , vital:72531 , https://citeseerx.ist.psu.edu/document?repid=rep1type=pdfanddoi=aeb0738f0e53a8c9f407fee7e55c852643f2644c
- Description: Detecting and investigating intrusive Internet activity is an ever-present challenge for network administrators and security researchers. Network monitoring can generate large, unmanageable amounts of log data, which further complicates distinguishing between illegitimate and legiti-mate traffic. Considering the above issue, this article has two aims. First, it describes an investigative methodology for network monitoring and traffic review; and second, it discusses results from applying this meth-od. The method entails a combination of network telescope traffic cap-ture and visualisation. Observing traffic from the perspective of a dedi-cated sensor network reduces the volume of data and alleviates the concern of confusing malicious traffic with legitimate traffic. Compliment-ing this, visual analysis facilitates the rapid review and correlation of events, thereby utilizing human intelligence in the identification of scan-ning patterns. To demonstrate the proposed method, several months of network telescope traffic is captured and analysed with a tailor made 3D scatter-plot visualisation. As the results show, the visualisation saliently conveys anomalous patterns, and further analysis reveals that these patterns are indicative of covert network probing activity. By incorporat-ing visual analysis with traditional approaches, such as textual log re-view and the use of an intrusion detection system, this research contrib-utes improved insight into network scanning incidents.
- Full Text:
- Date Issued: 2006
Integrating Secure RTP into the Open Source VoIP PBX Asterisk
- Clayton, Bradley, Irwin, Barry V W, Terzoli, Alfredo
- Authors: Clayton, Bradley , Irwin, Barry V W , Terzoli, Alfredo
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428735 , vital:72532 , https://d1wqtxts1xzle7.cloudfront.net/84872934/66_Paper-libre.pdf?1650920302=response-content-disposi-tion=inline%3B+filename%3DIntegrating_Secure_RTP_into_the_Open_Sou.pdfExpires=1714744382Signature=PijjCGW0qcvkqRe-2R55HocKLvz9Ljw8jmhQvRQEi9YqJl7eWSiYnvs9CogY4u4bmDTYTLpvkA-nlfbiszg-s7Cq2nbLn3PUdfJ5cA11ujboi~i7oSoem7smuN1YCVZlg7FnZRd6mOXdTry9UAh8TlWyndF6pY1RXtc7bgb5cWeK4ggJ7~bM0HUXEbUKKa-abCZnGNrAZ59JIdL6CNx1Sht3o5mZTcyRL3PNVSOz17lldXi4FsAOEUwsVV-uv04hzp6pe6Qv5WbAP6tqk7deyoLUwk58A9F-PaJlOLy2gDAVLnbKT8RrxYg8tqv8SuBhPWb32CefBxv486N3F6izZw__Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the need to transport data in real-time, often at the expense of security. The neglect of secure VoIP is often intentional, as developers are striving to minimise overheads and delays. The Secure Real-Time Protocol (SRTP) has the potential to secure real-time streams without exacting too high a performance price. SRTP is the addition of security to the audio/video profile used in the Real-Time Transport Protocol (RTP). SRTP adds confidentiality, integrity and op-tionaly authenticity to RTP media streams. This paper focuses on the integration of SRTP into Asterisk, an open-source VoIP PBX. SRTP support has recently been added to Asterisk by Mikael Magnusson. This paper analyses Magnusson’s implementation, contrasting it to a proof-of-concept implementation developed independently at Rhodes University. The interoperability of SRTP implementations cannot be taken for granted, given the relatively recent standardization of the pro-tocol, and so Magnusson’s implementation is tested against another SRTP implementation. Finally, the paper highlights a major shortcoming in Magnusson’s implementation, namely that the exchange of encryp-tion keys is done in the clear. It concludes by proposing possible solu-tions, such as TLS, IPSec and MIkey.
- Full Text:
- Date Issued: 2006
- Authors: Clayton, Bradley , Irwin, Barry V W , Terzoli, Alfredo
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428735 , vital:72532 , https://d1wqtxts1xzle7.cloudfront.net/84872934/66_Paper-libre.pdf?1650920302=response-content-disposi-tion=inline%3B+filename%3DIntegrating_Secure_RTP_into_the_Open_Sou.pdfExpires=1714744382Signature=PijjCGW0qcvkqRe-2R55HocKLvz9Ljw8jmhQvRQEi9YqJl7eWSiYnvs9CogY4u4bmDTYTLpvkA-nlfbiszg-s7Cq2nbLn3PUdfJ5cA11ujboi~i7oSoem7smuN1YCVZlg7FnZRd6mOXdTry9UAh8TlWyndF6pY1RXtc7bgb5cWeK4ggJ7~bM0HUXEbUKKa-abCZnGNrAZ59JIdL6CNx1Sht3o5mZTcyRL3PNVSOz17lldXi4FsAOEUwsVV-uv04hzp6pe6Qv5WbAP6tqk7deyoLUwk58A9F-PaJlOLy2gDAVLnbKT8RrxYg8tqv8SuBhPWb32CefBxv486N3F6izZw__Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the need to transport data in real-time, often at the expense of security. The neglect of secure VoIP is often intentional, as developers are striving to minimise overheads and delays. The Secure Real-Time Protocol (SRTP) has the potential to secure real-time streams without exacting too high a performance price. SRTP is the addition of security to the audio/video profile used in the Real-Time Transport Protocol (RTP). SRTP adds confidentiality, integrity and op-tionaly authenticity to RTP media streams. This paper focuses on the integration of SRTP into Asterisk, an open-source VoIP PBX. SRTP support has recently been added to Asterisk by Mikael Magnusson. This paper analyses Magnusson’s implementation, contrasting it to a proof-of-concept implementation developed independently at Rhodes University. The interoperability of SRTP implementations cannot be taken for granted, given the relatively recent standardization of the pro-tocol, and so Magnusson’s implementation is tested against another SRTP implementation. Finally, the paper highlights a major shortcoming in Magnusson’s implementation, namely that the exchange of encryp-tion keys is done in the clear. It concludes by proposing possible solu-tions, such as TLS, IPSec and MIkey.
- Full Text:
- Date Issued: 2006
The Need for Centralised, Cross Platform Information Aggregation
- Otten, Fred, Irwin, Barry V W, Slay, Hannah
- Authors: Otten, Fred , Irwin, Barry V W , Slay, Hannah
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428773 , vital:72535 , https://d1wqtxts1xzle7.cloudfront.net/2355475/8jlt6v8tz4wmhs6.pdf?1425084143=response-content-disposi-tion=inline%3B+filename%3DThe_need_for_centralised_cross_platform.pdfExpires=1714743760Signature=fsImuFaOfYc2FtUC88DqRrK1Anh84~rvBsZt2j46BfPyKMbbmswGZN5E2ajRJ7tZi5SZ4zQJvI5U6L47nmoXlNA0~Vo3pON-sYEo6Kn3TiTLvxwUpPQALnP7IvL-EEhgh11T-OuNZf0Q8QArxk6iqi4zjiOYbHUb~FDWw8MJ7ekH~frNS75mDrjpZ4xL8MqPNRHctaR3E5m~4i71SYO8hfbZw4vu7AhNNNvrRoIhbtLCEUsg-j7TkBDgVHts8LCsM5knmEKwgQTSBQTkLoRuNmXngqYikjvL7jUuHXibjSVaMSD78WRqXE~LDDkT7KXU7EbkPXzjRYJyamQ5qDXa3A__ey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: With the move towards global and multi-national companies, information technology infrastructure requirements are increasing. As the size of these computer networks increases, it becomes more and more difficult to moni-tor, control, and secure them. Network security involves the creation of large amounts of information in the form of logs and messages from a number of diverse devices, sensors, and gateways which are often spread over large geographical areas. This makes the monitoring and control difficult, and hence poses security problems. The aggregation of information is necessary in information audits, intrusion detection, network monitoring and management. The use of different platforms and devices complicates the problem, and makes aggregation more difficult. Network security administrators and security researchers require aggregation to simplify the analysis and comprehension of activity across the entire net-work. Centralised information aggregation will help deal with redundancy, analysis, monitoring and control. This aids the detection of wide spread attacks on global organisational networks, improving intrusion detection and mitigation. This paper discusses and motivates the need for central-ised, cross platform information aggregation in greater detail. It also sug-gests methods which may be used, discusses the security issues, and gives the advantages and disadvantages of aggregation.
- Full Text:
- Date Issued: 2006
- Authors: Otten, Fred , Irwin, Barry V W , Slay, Hannah
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428773 , vital:72535 , https://d1wqtxts1xzle7.cloudfront.net/2355475/8jlt6v8tz4wmhs6.pdf?1425084143=response-content-disposi-tion=inline%3B+filename%3DThe_need_for_centralised_cross_platform.pdfExpires=1714743760Signature=fsImuFaOfYc2FtUC88DqRrK1Anh84~rvBsZt2j46BfPyKMbbmswGZN5E2ajRJ7tZi5SZ4zQJvI5U6L47nmoXlNA0~Vo3pON-sYEo6Kn3TiTLvxwUpPQALnP7IvL-EEhgh11T-OuNZf0Q8QArxk6iqi4zjiOYbHUb~FDWw8MJ7ekH~frNS75mDrjpZ4xL8MqPNRHctaR3E5m~4i71SYO8hfbZw4vu7AhNNNvrRoIhbtLCEUsg-j7TkBDgVHts8LCsM5knmEKwgQTSBQTkLoRuNmXngqYikjvL7jUuHXibjSVaMSD78WRqXE~LDDkT7KXU7EbkPXzjRYJyamQ5qDXa3A__ey-Pair-Id=APKAJLOHF5GGSLRBV4ZA
- Description: With the move towards global and multi-national companies, information technology infrastructure requirements are increasing. As the size of these computer networks increases, it becomes more and more difficult to moni-tor, control, and secure them. Network security involves the creation of large amounts of information in the form of logs and messages from a number of diverse devices, sensors, and gateways which are often spread over large geographical areas. This makes the monitoring and control difficult, and hence poses security problems. The aggregation of information is necessary in information audits, intrusion detection, network monitoring and management. The use of different platforms and devices complicates the problem, and makes aggregation more difficult. Network security administrators and security researchers require aggregation to simplify the analysis and comprehension of activity across the entire net-work. Centralised information aggregation will help deal with redundancy, analysis, monitoring and control. This aids the detection of wide spread attacks on global organisational networks, improving intrusion detection and mitigation. This paper discusses and motivates the need for central-ised, cross platform information aggregation in greater detail. It also sug-gests methods which may be used, discusses the security issues, and gives the advantages and disadvantages of aggregation.
- Full Text:
- Date Issued: 2006
Towards Central Vulnerability Management By Mobile Phone Operators
- Moyo, Thamsanqa, Irwin, Barry V W, Wright, Madeleine
- Authors: Moyo, Thamsanqa , Irwin, Barry V W , Wright, Madeleine
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428787 , vital:72536 , https://www.researchgate.net/profile/Barry-Ir-win/publication/237107512_Securing_mobile_commerce_interactions_through_secure_mobile_web_services/links/5b9a5898a6fdccd3cb4ff6cf/Securing-mobile-commerce-interactions-through-secure-mobile-web-services.pdf
- Description: The application of XML-based approaches in passing vulnerability in-formation between vulnerability management devices or software resid-ing on wired networks has been demonstrated. We propose a proof of concept framework for mobile operators that extends this use of XML into the area of vulnerability management on public land mobile net-works. Our proposed framework allows for a pro-active central man-agement of vulnerabilities found on mobile stations such as mobile phones. Despite the relatively limited number of reported vulnerabilities on mobile stations, such a pre-emptive approach from mobile operators is necessary to acquire the confidence of early adopters in Mobile Commerce. Given the diverse collection of devices and software that exist on a public land mobile network, XML-based approaches are best able to providing the inter-operability required for vulnerability manage-ment on such a network. Our proposed framework leverages web ser-vices by using the Open Vulnerability Assessment Language (OVAL) to provide vulnerability descriptions, and by securing these descriptions in SOAP messages conforming to the OASIS Web Services Security (WSS) standard. We contribute in three areas: firstly, through this framework we show that mobile operators can carry out centralized vul-nerability management on their public land mobile networks comprising of a wide variety of devices and software. Secondly, the assurance of integrity, confidentiality and non-repudiation inherently lacking in OVAL vulnerability descriptions is achieved through their encapsulation in SOAP messages conforming to the OASIS WSS standard. Thirdly, SOAP-based web service implementations allow for integration with vulnerability management tools and devices that do not conform to OVAL.
- Full Text:
- Date Issued: 2006
- Authors: Moyo, Thamsanqa , Irwin, Barry V W , Wright, Madeleine
- Date: 2006
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428787 , vital:72536 , https://www.researchgate.net/profile/Barry-Ir-win/publication/237107512_Securing_mobile_commerce_interactions_through_secure_mobile_web_services/links/5b9a5898a6fdccd3cb4ff6cf/Securing-mobile-commerce-interactions-through-secure-mobile-web-services.pdf
- Description: The application of XML-based approaches in passing vulnerability in-formation between vulnerability management devices or software resid-ing on wired networks has been demonstrated. We propose a proof of concept framework for mobile operators that extends this use of XML into the area of vulnerability management on public land mobile net-works. Our proposed framework allows for a pro-active central man-agement of vulnerabilities found on mobile stations such as mobile phones. Despite the relatively limited number of reported vulnerabilities on mobile stations, such a pre-emptive approach from mobile operators is necessary to acquire the confidence of early adopters in Mobile Commerce. Given the diverse collection of devices and software that exist on a public land mobile network, XML-based approaches are best able to providing the inter-operability required for vulnerability manage-ment on such a network. Our proposed framework leverages web ser-vices by using the Open Vulnerability Assessment Language (OVAL) to provide vulnerability descriptions, and by securing these descriptions in SOAP messages conforming to the OASIS Web Services Security (WSS) standard. We contribute in three areas: firstly, through this framework we show that mobile operators can carry out centralized vul-nerability management on their public land mobile networks comprising of a wide variety of devices and software. Secondly, the assurance of integrity, confidentiality and non-repudiation inherently lacking in OVAL vulnerability descriptions is achieved through their encapsulation in SOAP messages conforming to the OASIS WSS standard. Thirdly, SOAP-based web service implementations allow for integration with vulnerability management tools and devices that do not conform to OVAL.
- Full Text:
- Date Issued: 2006
- «
- ‹
- 1
- ›
- »