Ray Hunt

A taxonomy of network and computer attacks

Attacks over the years have become both increasingly numerous and sophisticated. This paper focuses on the provisioning of a method for the analysis and categorisation of both computer and network attacks, thus providing assistance in combating new attacks, improving computer and network security as well as providing consistency in language when describing attacks. Such a taxonomy is designed to be useful to information bodies such as CERTs (Computer Emergency Response Teams) who have to handle and categorise an every increasing number of attacks on a daily basis. Information bodies could use the taxonomy to communicate more effectively as the taxonomy would provide a common classification scheme. The proposed taxonomy consists of four dimensions which provide a holistic taxonomy in order to deal with inherent problems in the computer and network attack field. The first dimension covers the attack vector and the main behaviour of the attack. The second dimension allows for classification of the attack targets. Vulnerabilities are classified in the third dimension and payloads in the fourth. Finally, to demonstrate the usefulness of this taxonomy, a case study applies the taxonomy to a number of well known attacks.

Intrusion detection techniques and approaches

Recent security incidents and analysis have demonstrated that manual response to such attacks is no longer feasible. Intrusion detection systems (IDS) offer techniques for modelling and recognising normal and abusive system behaviour. Such methodologies include statistical models, immune system approaches, protocol verification, file and taint checking, neural networks, whitelisting, expression matching, state transition analysis, dedicated languages, genetic algorithms and burglar alarms. This paper describes these techniques including an IDS architectural outline and an analysis of IDS probe techniques finishing with a summary of associated technologies.

Virtualization: Issues, security threats, and solutions

Although system virtualization is not a new paradigm, the way in which it is used in modern system architectures provides a powerful platform for system building, the advantages of which have only been realized in recent years, as a result of the rapid deployment of commodity hardware and software systems. In principle, virtualization involves the use of an encapsulating software layer (Hypervisor or Virtual Machine Monitor) which surrounds or underlies an operating system and provides the same inputs, outputs, and behavior that would be expected from an actual physical device. This abstraction means that an ideal Virtual Machine Monitor provides an environment to the software equivalent to the host system, but which is decoupled from the hardware state. Because a virtual machine is not dependent on the state of the physical hardware, multiple virtual machines may be installed on a single set of hardware. The decoupling of physical and logical states gives virtualization inherent security benefits. However, the design, implementation, and deployment of virtualization technology have also opened up novel threats and security issues which, while not particular to system virtualization, take on new forms in relation to it. Reverse engineering becomes easier due to introspection capabilities, as encryption keys, security algorithms, low-level protection, intrusion detection, or antidebugging measures can become more easily compromised. Furthermore, associated technologies such as virtual routing and networking can create challenging issues for security, intrusion control, and associated forensic processes. We explain the security considerations and some associated methodologies by which security breaches can occur, and offer recommendations for how virtualized environments can best be protected. Finally, we offer a set of generalized recommendations that can be applied to achieve secure virtualized implementations.

Tightening the net: A review of current and next generation spam filtering tools

This paper provides an overview of current and potential future spam filtering approaches. We examine the problems spam introduces, what spam is and how we can measure it. The paper primarily focuses on automated, non-interactive filters, with a broad review ranging from commercial implementations to ideas confined to current research papers. Both machine learning- and non-machine learning-based filters are reviewed as potential solutions and a taxonomy of known approaches is presented. While a range of different techniques have and continue to be evaluated in academic research, heuristic and Bayesian filtering dominate commercial filtering systems; therefore, a case study of these techniques is presented to demonstrate and evaluate the effectiveness of these popular techniques.

Tutorial: Internet/Intranet firewall security-policy, architecture and transaction services

The development of Internet/Intranet security is of paramount importance to organisations that plan to gain the economic benefits from interconnection with the Internet. This paper commences by examining firewall policy, focusing on both network service access policy and firewall design policy. Various firewall architectures, ranging from simple packet filters through to screened subnets and proxy gateways, are then discussed. Finally, the various mechanisms by which transactions can be secured over the Internet/Intranet are covered. These include encrypted tunnelling, IPv6, point-to-point tunnelling protocol, secure sockets layer, secure electronic transactions and secure multipart Internet mail encoding.

IEEE 802.11 wireless LAN security performance using multiple clients

IEEE 802.11 wireless networks have gained increasing popularity in recent times, providing users with both mobility and flexibility in accessing information. Existing solutions for wireless LAN networks have been exposed to security vulnerabilities and previous study has addressed and evaluated the security performance of IEEE 802.11 wireless networks using single server-client architecture and simple traffic models. This research investigated the effect of multiple security mechanisms on the performance of multiclient congested and uncongested networks. The performance effect of different TCP and UDP packet size distributions on secure networks was also studied. The benefits of this wireless network study focus on determining ways in which to configure wireless networks such that security requirements can be met in relation to quantifiable performance impact in practical situations.

Tutorial: SNMP, SNMPv2 and CMIP - the technologies for multivendor network management

The efficient management of multivendor networks is of vital importance as networks increase in size, scope and complexity. This tutorial examines the concepts and functions of network management to lay a foundation for the various architectures to be examined. The paper explains the Simple Network Management Protocol (SNMP), its successor SNMPv2, and the parallel development of ISOs Common Management Information Protocol (CMIP), drawing comparisons between them. The paper concludes with an analysis and examples of the methods for integrating SNMP and CMIP architectures, as well as examining some of the important trends resulting from the work of various industry and standards bodies.

Tutorial: Technological infrastructure for PKI and digital certification

Secure E-Commerce and VPN technology is only possible with the use of appropriate security systems such as encryption, digital signatures, digital certificates, public/private key pairs, non-repudiation, and time-stamping. A PKI comprises a system of certificates, certificate authorities, subjects, relying partners, registration authorities, and key repositories that provide for safe and reliable E-business. This paper discusses these key technologies focusing particularly on recent standardisation as well as looking at some of the criticism and challenges to its widespread operation in the industry.

Network security using NAT and NAPT

This paper examines the use of NAT and NAPT as a transparent security mechanism. It discusses the addressing, security and administrative needs in modern secure network design. By way of examples it demonstrates the use of basic static and dynamic NAT, extending these ideas to include NAPT. More recent developments in the use of NAT are discussed which includes Bidirectional NAT, Twice NAT and Multihomed NAT. Although this technology is starting to provide many security benefits there are also a number of problems that remain to be solved. These include packet translation checksum and fragmentation issues, address and port embedding, and complications with using IPSec tunnels with NAT. Finally a variety of recent extensions and developments are discussed which include load-sharing, interworking between NAT IPv4 and IPv6 as well as discussion on recent work aimed at solving the IPSec tunneling issue.

PKI and digital certification infrastructure

Secure VPN technology is only possible with the use of appropriate security systems such as encryption, digital signatures, digital certificates, public/private key pairs, non-repudiation, and time-stamping. A PKI comprises a system of certificates, certificate authorities, subjects, relying partners, registration authorities, and key repositories that provide for safe and reliable communications. This paper discusses these key technologies focusing particularly on standardisation as well as looking at some of the challenges pending its widespread operation in the industry.