Barry Irwin

A framework for DNS based detection and mitigation of malware infections on a network

Modern botnet trends have lead to the use of IP and domain fast-fluxing to avoid detection and increase resilience. These techniques bypass traditional detection systems such as blacklists and intrusion detection systems. The Domain Name Service (DNS) is one of the most prevalent protocols on modern networks and is essential for the correct operation of many network activities, including botnet activity. For this reason DNS forms the ideal candidate for monitoring, detecting and mitigating botnet activity. In this paper a system placed at the network edge is developed with the capability to detect fast-flux domains using DNS queries. Multiple domain features were examined to determine which would be most effective in the classification of domains. This is achieved using a C5.0 decision tree classifier and Bayesian statistics, with positive samples being labeled as potentially malicious and negative samples as legitimate domains. The system detects malicious domain names with a high degree of accuracy, minimising the need for blacklists. Statistical methods, namely Naive Bayesian, Bayesian, Total Variation distance and Probability distribution are applied to detect malicious domain names. The detection techniques are tested against sample traffic and it is shown that malicious traffic can be detected with low false positive rates.

InetVis, a visual tool for network telescope traffic analysis

This article illustrates the merits of visual analysis as it presents preliminary findings using InetVis - an animated 3-D scatter plot visualization of network events. The concepts and features of InetVis are evaluated with reference to related work in the field. Tested against a network scanning tool, anticipated visual signs of port scanning and network mapping serve as a proof of concept. This research also unveils substantial amounts of suspicious activity present in Internet traffic during August 2005, as captured by a class C network telescope. InetVis is found to have promising scalability whilst offering salient depictions of intrusive network activity.

Parallel packet classification using GPU co-processors

In the domain of network security, packet filtering for classification purposes is of significant interest. Packet classification provides a mechanism for understanding the composition of packet streams arriving at distinct network interfaces, and is useful in diagnosing threats and uncovering vulnerabilities so as to maximise data integrity and system security. Traditional packet classifiers, such as PCAP, have utilised Control Flow Graphs (CFGs) in representing filter sets, due to both their amenability to optimisation, and their inherent structural applicability to the metaphor of decision-based classification. Unfortunately, CFGs do not map well to cooperative processing implementations, and single-threaded CPU-based implementations have proven too slow for real-time classification against multiple arbitrary filters on next generation networks. In this paper, we consider a novel multithreaded classification algorithm, optimised for execution on GPU co-processors, intended to accelerate classification throughput and maximise processing efficiency in a highly parallel execution context.

GPU packet classification using OpenCL: a consideration of viable classification methods

Packet analysis is an important aspect of network security, which typically relies on a flexible packet filtering system to extrapolate important packet information from each processed packet. Packet analysis is a computationally intensive, highly parallelisable task, and as such, classification of large packet sets, such as those collected by a network telescope, can require significant processing time. We wish to improve upon this, through parallel classification on a GPU. In this paper, we first consider the OpenCL architecture and its applicability to packet analysis. We then introduce a number of packet demultiplexing and routing algorithms, and finally present a discussion on how some of these techniques may be leveraged within a GPGPU context to improve packet classification speeds.

Using InetVis to Evaluate Snort and Bro Scan Detection on a Network Telescope

This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. Scan detection algorithms used by the Snort and Bro intrusion detection systems are critiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought by analysing the detection algorithms. The Snort and Bro algorithms are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.

Towards a taxonomy of network scanning techniques

Network scanning is a common reconnaissance activity in network intrusion. Despite this, its classification remains vague and detection systems in current Network Intrusion Detection Systems are incapable of detecting many forms of scanning traffic. This paper presents a classification of network scanning and illustrates how complex and varied this activity is. The presented classification extends previous, well known, definitions of scanning traffic in a manner which reflects this complexity.

High Level Internet Scale Traffic Visualization Using Hilbert Curve Mapping

A high level analysis tool was developed for aiding in the analysis of large volumes of network telescope traffic, and in particular the comparisons of data collected from multiple telescope sources. Providing a visual means for the evaluation of worm propagation algorithms has also been achieved. By using a Hilbert curve as a means of ordering points within the visualization space, the concept of nearness between numerically sequential network blocks was preserved. The design premise and initial results obtained using the tool developed are discussed, and a number of future extensions proposed.

A network telescope perspective of the Conficker outbreak

This paper discusses a dataset of some 16 million packets targeting port 445/tcp collected by a network telescope utilising a /24 netblock in South African IP address space. An initial overview of the collected data is provided. This is followed by a detailed analysis of the packet characteristics observed, including size and TTL. The peculiarities of the observed target selection and the results of the flaw in the Conficker worms propagation algorithm are presented. An analysis of the 4 million observed source hosts is reported by grouped by both packet counts and the number of distinct hosts per network address block. Address blocks of size /8, 16 and 24 are used for groupings. The localisation, by geographic region and numerical proximity, of high ranking aggregate netblocks is highlighted. The paper concludes with some overall analyses, and consideration of the application of network telescopes to the monitoring of such outbreaks in the future.

Classification of Security Operation Centers

Security Operation Centers (SOCs) are a necessary service for organisations that want to address compliance and threat management. While there are frameworks in existence that addresses the technology aspects of these services, a holistic framework addressing processes, staffing and technology currently do not exist. Additionally, it would be useful for organizations and constituents considering building, buying or selling these services to measure the effectiveness and maturity of the provided services. In this paper, we propose a classification and rating scheme for SOC services, evaluating both the capabilities and the maturity of the services offered.

A Computer Network Attack Taxonomy and Ontology

Copyright: 2012 IGI Global. This is an pre/post print version of the work. The definitive version is published in International Journal of Cyber Warfare and Terrorism, vol. 2(3), pp 12-25