Feasibility Study: Computing Confidence Interval (CI) for IBR Data Using Bootstrapping Technique
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2021
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427665 , vital:72454 , https://www.researchgate.net/profile/Barry-Ir-win/publication/358895311_Feasibility_Study_Computing_Confidence_Inter-val_CI_for_IBR_Data_Using_Bootstrapping_Technique/links/621bdc469947d339eb6e578b/Feasibility-Study-Computing-Confidence-Interval-CI-for-IBR-Data-Using-Bootstrapping-Technique.pdf
- Description: Statistical bootstrapping has been used in different fields over the years since it was introduced as a technique that one can use to simulate data. In this study, parametric and nonparametric bootstrapping techniques were used to create samples of different compositions from the baseline data. The bootstrap distribution of a point estimator of a population parameter has been used in the past to produce a bootstrapped confidence interval (CI) for the parameter’s true value, if the parameter is written as a function of the population’s distribution. Population parameters are estimated with many point estimators. The study used mean as the population parameter of interest from which bootstrap samples were created. This research was more interested in the CI side of bootstrapping and it is this aspect that this paper focused on. This is the case because the study wanted to offer a certain degree of assurance and reliability of IBR data to users who may not have access to a larger ’lens’ of a network telescope to allow them to monitor security threats in their network. The primary interest in the dataset were source and destination IP (DSTIP) addresses, thus the study selected different size pools of DSTIP addresses to simulate bootstrap samples.
- Full Text:
- Date Issued: 2021
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2021
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427665 , vital:72454 , https://www.researchgate.net/profile/Barry-Ir-win/publication/358895311_Feasibility_Study_Computing_Confidence_Inter-val_CI_for_IBR_Data_Using_Bootstrapping_Technique/links/621bdc469947d339eb6e578b/Feasibility-Study-Computing-Confidence-Interval-CI-for-IBR-Data-Using-Bootstrapping-Technique.pdf
- Description: Statistical bootstrapping has been used in different fields over the years since it was introduced as a technique that one can use to simulate data. In this study, parametric and nonparametric bootstrapping techniques were used to create samples of different compositions from the baseline data. The bootstrap distribution of a point estimator of a population parameter has been used in the past to produce a bootstrapped confidence interval (CI) for the parameter’s true value, if the parameter is written as a function of the population’s distribution. Population parameters are estimated with many point estimators. The study used mean as the population parameter of interest from which bootstrap samples were created. This research was more interested in the CI side of bootstrapping and it is this aspect that this paper focused on. This is the case because the study wanted to offer a certain degree of assurance and reliability of IBR data to users who may not have access to a larger ’lens’ of a network telescope to allow them to monitor security threats in their network. The primary interest in the dataset were source and destination IP (DSTIP) addresses, thus the study selected different size pools of DSTIP addresses to simulate bootstrap samples.
- Full Text:
- Date Issued: 2021
An Evaluation of Text Mining Techniques in Sampling of Network Ports from IBR Traffic
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
An Evaluation of Text Mining Techniques in Sampling of Network Ports from IBR Traffic
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/473740 , vital:77677 , xlink:href="https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf"
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/473740 , vital:77677 , xlink:href="https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf"
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
Effectiveness of Sampling a Small Sized Network Telescope in Internet Background Radiation Data Collection
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427646 , vital:72453 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Net-work_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427646 , vital:72453 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Net-work_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
Effectiveness of Sampling a Small Sized Network Telescope in Internet Background Radiation Data Collection
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/473783 , vital:77681 , xlink:href="https://www.researchgate.net/profile/Barry-Irwin/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Network_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf"
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/473783 , vital:77681 , xlink:href="https://www.researchgate.net/profile/Barry-Irwin/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Network_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf"
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
Hybrid Sensor Simulation within an ICS Testbed
- Shaw, Brent, Irwin, Barry V W
- Authors: Shaw, Brent , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427713 , vital:72457 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624204_Hybrid_Sensor_Simulation_within_an_ICS_Testbed/links/5b9a50d8299bf14ad4d79587/Hybrid-Sensor-Simulation-within-an-ICS-Testbed.pdf
- Description: Industrial Control Systems (ICS) are responsible for managing factories, power-grids and water treatment facilities, and play a key role in running and controlling national Critical Information Infrastructure (CII). The integrity and availability of these systems are paramount, and the threat of cyberphysical attacks on these systems warrant thorough research into ensuring their security. The increasing interconnectivity seen in both the domestic and industrial sectors exposes numerous devices and systems to the Internet. These devices are exposed to malware and advanced persistent threats, that can affect CII through the attack of ICS. While simulations provide insights into how systems might react to certain changes, they generally lack the ability to be integrated into existing hardware systems. Hybrid testbeds could provide a platform for testing hardware and software components, enabling researchers to examine the interactions between various different networking through exploratory research and investigation in a controlled environment. This work presents an approach to traffic generation for use within ICS/IoT testbeds, through the production of Docker-based simulation nodes that are constructed based on the configuration of the system.
- Full Text:
- Date Issued: 2018
- Authors: Shaw, Brent , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427713 , vital:72457 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624204_Hybrid_Sensor_Simulation_within_an_ICS_Testbed/links/5b9a50d8299bf14ad4d79587/Hybrid-Sensor-Simulation-within-an-ICS-Testbed.pdf
- Description: Industrial Control Systems (ICS) are responsible for managing factories, power-grids and water treatment facilities, and play a key role in running and controlling national Critical Information Infrastructure (CII). The integrity and availability of these systems are paramount, and the threat of cyberphysical attacks on these systems warrant thorough research into ensuring their security. The increasing interconnectivity seen in both the domestic and industrial sectors exposes numerous devices and systems to the Internet. These devices are exposed to malware and advanced persistent threats, that can affect CII through the attack of ICS. While simulations provide insights into how systems might react to certain changes, they generally lack the ability to be integrated into existing hardware systems. Hybrid testbeds could provide a platform for testing hardware and software components, enabling researchers to examine the interactions between various different networking through exploratory research and investigation in a controlled environment. This work presents an approach to traffic generation for use within ICS/IoT testbeds, through the production of Docker-based simulation nodes that are constructed based on the configuration of the system.
- Full Text:
- Date Issued: 2018
Offline-First Design for Fault Tolerant Applications.
- Linklater, Gregory, Marais, Craig, Herbert, Alan, Irwin, Barry V W
- Authors: Linklater, Gregory , Marais, Craig , Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427683 , vital:72455 , https://www.researchgate.net/profile/Barry-Irwin/publication/327624337_Offline-First_Design_for_Fault_Tolerant_Applications/links/5b9a50a1458515310584ebbe/Offline-First-Design-for-Fault-Tolerant-Applications.pdf
- Description: Faults are inevitable and frustrating, as we increasingly depend on network access and the chain of services that provides it, we suffer a greater loss in productivity when any of those services fail and service delivery is suspended. This research explores connectivity and infrastructure fault tolerance through offline-first application design using techniques such as CQRS and event sourcing. To apply these techniques, this research details the design, and implementation of LOYALTY TRACKER; an offline-first, PoS system for the Android platform that was built to operate in the context of a small pub where faults are commonplace. The application demonstrates data consistency and integrity and a complete feature set that continues to operate while offline but is limited by scalability. The application successfully achieves it’s goals in the limited capacity for which it was designed.
- Full Text:
- Date Issued: 2018
- Authors: Linklater, Gregory , Marais, Craig , Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427683 , vital:72455 , https://www.researchgate.net/profile/Barry-Irwin/publication/327624337_Offline-First_Design_for_Fault_Tolerant_Applications/links/5b9a50a1458515310584ebbe/Offline-First-Design-for-Fault-Tolerant-Applications.pdf
- Description: Faults are inevitable and frustrating, as we increasingly depend on network access and the chain of services that provides it, we suffer a greater loss in productivity when any of those services fail and service delivery is suspended. This research explores connectivity and infrastructure fault tolerance through offline-first application design using techniques such as CQRS and event sourcing. To apply these techniques, this research details the design, and implementation of LOYALTY TRACKER; an offline-first, PoS system for the Android platform that was built to operate in the context of a small pub where faults are commonplace. The application demonstrates data consistency and integrity and a complete feature set that continues to operate while offline but is limited by scalability. The application successfully achieves it’s goals in the limited capacity for which it was designed.
- Full Text:
- Date Issued: 2018
Real-time geotagging and filtering of network data using a heterogeneous NPU-CPU architecture
- Pennefather, Sean, Bradshaw, Karen L, Irwin, Barry V W
- Authors: Pennefather, Sean , Bradshaw, Karen L , Irwin, Barry V W
- Date: 2018
- Subjects: To be catalogued
- Language: English
- Type: text , book
- Identifier: http://hdl.handle.net/10962/460603 , vital:75968 , ISBN 9780620810227
- Description: In this paper, we present the design and implementation of a NPU-CPU heterogeneous network monitoring application. This application allows for both filtering and monitoring operations to be performed on network traffic based on country of origin or destination of IP traffic in real-time at wire speeds up to 1 Gbit/s. This is achievable by distributing the application components to the relevant candidate architectures, leveraging the strengths of each. Communication between architectures is handled at runtime by a low latency synchronous message passing library. Testing of the implemented application indicates that the system can perform geolocation lookups on network traffic in real-time without impacting network throughput.
- Full Text:
- Date Issued: 2018
- Authors: Pennefather, Sean , Bradshaw, Karen L , Irwin, Barry V W
- Date: 2018
- Subjects: To be catalogued
- Language: English
- Type: text , book
- Identifier: http://hdl.handle.net/10962/460603 , vital:75968 , ISBN 9780620810227
- Description: In this paper, we present the design and implementation of a NPU-CPU heterogeneous network monitoring application. This application allows for both filtering and monitoring operations to be performed on network traffic based on country of origin or destination of IP traffic in real-time at wire speeds up to 1 Gbit/s. This is achievable by distributing the application components to the relevant candidate architectures, leveraging the strengths of each. Communication between architectures is handled at runtime by a low latency synchronous message passing library. Testing of the implemented application indicates that the system can perform geolocation lookups on network traffic in real-time without impacting network throughput.
- Full Text:
- Date Issued: 2018
Towards Enhanced Threat Intelligence Through NetFlow Distillation
- Herbert, Alan, Irwin, Barry V W
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427699 , vital:72456 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624198_Towards_Enhanced_Threat_Intelligence_Through_NetFlow_Distillation/links/5b9a501fa6fdcc59bf8ee8ea/Towards-Enhanced-Threat-Intelligence-Through-NetFlow-Distillation.pdf
- Description: Bolvedere is a hardware-accelerated NetFlow analysis platform intended to discern and distribute NetFlow records in a requested format by a user. This functionality removes the need for a user to deal with the NetFlow protocol directly, and also reduces the requirement of CPU resources as data would be passed on to a host in the known requested format.
- Full Text:
- Date Issued: 2018
- Authors: Herbert, Alan , Irwin, Barry V W
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427699 , vital:72456 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624198_Towards_Enhanced_Threat_Intelligence_Through_NetFlow_Distillation/links/5b9a501fa6fdcc59bf8ee8ea/Towards-Enhanced-Threat-Intelligence-Through-NetFlow-Distillation.pdf
- Description: Bolvedere is a hardware-accelerated NetFlow analysis platform intended to discern and distribute NetFlow records in a requested format by a user. This functionality removes the need for a user to deal with the NetFlow protocol directly, and also reduces the requirement of CPU resources as data would be passed on to a host in the known requested format.
- Full Text:
- Date Issued: 2018
A netFlow scoring framework for incident detection
- Sweeney, Michael, Irwin, Barry V W
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
- Authors: Sweeney, Michael , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428301 , vital:72501 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9693/Sweeney_19662_2017.pdf?sequence=1andisAllowed=y
- Description: As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant chal-lenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often back-ground noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious po-tential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
- Full Text:
- Date Issued: 2017
An analysis on the re-emergence of SQL Slammer worm using network telescope data
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
An analysis on the re-emergence of SQL Slammer worm using network telescope data
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/473718 , vital:77675 , xlink:href="https://www.researchgate.net/publication/327622806_An_Analysis_on_the_Re-emergence_of_SQL_Slammer_Worm_Using_Network_Telescope_Data"
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traffic observed in it shows an escalation in the number of packets captured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets received by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets observed in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and observed UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/473718 , vital:77675 , xlink:href="https://www.researchgate.net/publication/327622806_An_Analysis_on_the_Re-emergence_of_SQL_Slammer_Worm_Using_Network_Telescope_Data"
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traffic observed in it shows an escalation in the number of packets captured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets received by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets observed in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and observed UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
Design of a Message Passing Model for Use in a Heterogeneous CPU-NFP Framework for Network Analytics. Southern Africa Telecommunication Networks and Applications Conference (SATNAC) 2017, 3-10 September 2017
- Pennefather, Sean, Bradshaw, Karen L, Irwin, Barry V W
- Authors: Pennefather, Sean , Bradshaw, Karen L , Irwin, Barry V W
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , book
- Identifier: http://hdl.handle.net/10962/460011 , vital:75884 , ISBN 9780620767569 , http://dx.doi.org/10.18489/sacj.v31i2.692
- Description: Currently, network analytics requires direct access to network packets, normally through a third-party application, which means that obtaining realtime results is difficult. We propose the NFP-CPU heterogeneous framework to allow parts of applications written in the Go programming language to be executed on a Network Flow Processor (NFP) for enhanced performance. This paper explores the need and feasibility of implementing a message passing model for data transmission between the NFP and CPU, which is the crux of such a heterogeneous framework. Architectural differences between the two domains are highlighted within this context and we present a solution to bridging these differences.
- Full Text:
- Date Issued: 2017
- Authors: Pennefather, Sean , Bradshaw, Karen L , Irwin, Barry V W
- Date: 2017
- Subjects: To be catalogued
- Language: English
- Type: text , book
- Identifier: http://hdl.handle.net/10962/460011 , vital:75884 , ISBN 9780620767569 , http://dx.doi.org/10.18489/sacj.v31i2.692
- Description: Currently, network analytics requires direct access to network packets, normally through a third-party application, which means that obtaining realtime results is difficult. We propose the NFP-CPU heterogeneous framework to allow parts of applications written in the Go programming language to be executed on a Network Flow Processor (NFP) for enhanced performance. This paper explores the need and feasibility of implementing a message passing model for data transmission between the NFP and CPU, which is the crux of such a heterogeneous framework. Architectural differences between the two domains are highlighted within this context and we present a solution to bridging these differences.
- Full Text:
- Date Issued: 2017
JSON schema for attribute-based access control for network resource security
- Linklater, Gregory, Smith, Christian, Connan, James, Herbert, Alan, Irwin, Barry V W
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
- Authors: Linklater, Gregory , Smith, Christian , Connan, James , Herbert, Alan , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428368 , vital:72506 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9820/Linklater_19660_2017.pdf?sequence=1andisAllowed=y
- Description: Attribute-based Access Control (ABAC) is an access control model where authorization for an action on a resource is determined by evalu-ating attributes of the subject, resource (object) and environment. The attributes are evaluated against boolean rules of varying complexity. ABAC rule languages are often based on serializable object modeling and schema languages as in the case of XACML which is based on XML Schema. XACML is a standard by OASIS, and is the current de facto standard for ABAC. While a JSON profile for XACML exists, it is simply a compatibility layer for using JSON in XACML which caters to the XML object model paradigm, as opposed to the JSON object model paradigm. This research proposes JSON Schema as a modeling lan-guage that caters to the JSON object model paradigm on which to base an ABAC rule language. It continues to demonstrate its viability for the task by comparison against the features provided to XACML by XML Schema.
- Full Text:
- Date Issued: 2017
Recovering AES-128 encryption keys from a Raspberry Pi
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427740 , vital:72459 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full encryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427740 , vital:72459 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full encryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
Recovering AES-128 encryption keys from a Raspberry Pi
- Frieslaar, Ibraheem, Irwin, Barry V W
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428383 , vital:72507 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full en-cryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
- Authors: Frieslaar, Ibraheem , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428383 , vital:72507 , https://www.researchgate.net/profile/Ibraheem-Frieslaar/publication/320102039_Recovering_AES-128_Encryption_Keys_from_a_Raspberry_Pi/links/59ce34f1aca272b0ec1a4d96/Recovering-AES-128-Encryption-Keys-from-a-Raspberry-Pi.pdf
- Description: This research is the first of its kind to perform a successful side channel analysis attack on a symmetric encryption algorithm executing on a Raspberry Pi. It is demonstrated that the AES-128 encryption algorithm of the Crypto++ library is vulnerable against the Correlation Power Analysis (CPA) attack. Furthermore, digital processing techniques such as dynamic time warping and filtering are used to recovery the full en-cryption key. In Addition, it is illustrated that the area above and around the CPU of the Raspberry Pi leaks out critical and secret information.
- Full Text:
- Date Issued: 2017
SHA-1, SAT-solving, and CNF
- Motara, Yusuf, M, Irwin, Barry V W
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428408 , vital:72509 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9692/Motara_19661_2017.pdf?sequence=1andisAllowed=y
- Description: Finding a preimage for a SHA-1 hash is, at present, a computationally intractable problem. SAT-solvers have been useful tools for handling such problems and can often, through heuristics, generate acceptable solutions. This research examines the intersection between the SHA-1 preimage problem, the encoding of that problem for SAT-solving, and SAT-solving. The results demonstrate that SAT-solving is not yet a viable approach to take to solve the preimage problem, and also indicate that some of the intuitions about “good” problem encodings in the literature are likely to be incorrect.
- Full Text:
- Date Issued: 2017
- Authors: Motara, Yusuf, M , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428408 , vital:72509 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9692/Motara_19661_2017.pdf?sequence=1andisAllowed=y
- Description: Finding a preimage for a SHA-1 hash is, at present, a computationally intractable problem. SAT-solvers have been useful tools for handling such problems and can often, through heuristics, generate acceptable solutions. This research examines the intersection between the SHA-1 preimage problem, the encoding of that problem for SAT-solving, and SAT-solving. The results demonstrate that SAT-solving is not yet a viable approach to take to solve the preimage problem, and also indicate that some of the intuitions about “good” problem encodings in the literature are likely to be incorrect.
- Full Text:
- Date Issued: 2017
Weems: An extensible HTTP honeypot
- Pearson, Deon, Irwin, Barry V W, Herbert, Alan
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
- Authors: Pearson, Deon , Irwin, Barry V W , Herbert, Alan
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428396 , vital:72508 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9691/Pearson_19652_2017.pdf?sequence=1andisAllowed=y
- Description: Malicious entities are constantly trying their luck at exploiting known vulnera-bilities in web services, in an attempt to gain access to resources unauthor-ized access to resources. For this reason security specialists deploy various network defenses with the goal preventing these threats; one such tool used are web based honeypots. Historically a honeypot will be deployed facing the Internet to masquerade as a live system with the intention of attracting at-tackers away from the valuable data. Researchers adapted these honeypots and turned them into a platform to allow for the studying and understanding of web attacks and threats on the Internet. Having the ability to develop a honeypot to replicate a specific service meant researchers can now study the behavior patterns of threats, thus giving a better understanding of how to de-fend against them. This paper discusses a high-level design and implemen-tation of Weems, a low-interaction web based modular HTTP honeypot sys-tem. It also presents results obtained from various deployments over a period of time and what can be interpreted from these results.
- Full Text:
- Date Issued: 2017
A sharing platform for Indicators of Compromise
- Rudman, Lauren, Irwin, Barry V W
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
- Authors: Rudman, Lauren , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427831 , vital:72465 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622961_A_sharing_platform_for_Indicators_of_Compromise/links/5b9a1ad1a6fdcc59bf8dfe51/A-sharing-platform-for-Indicators-of-Compromise.pdf
- Description: In this paper, we will describe the functionality of a proof of concept sharing platform for sharing cyber threat information. Information is shared in the Structured Threat Information eXpression (STIX) language displayed in HTML. We focus on the sharing of network Indicators of Compromise generated by malware samples. Our work is motivated by the need to provide a platform for exchanging comprehensive network level Indicators. Accordingly we demonstrate the functionality of our proof of concept project. We will discuss how to use some functions of the platform, such as sharing STIX Indicators, navigating around and downloading defense mechanisims. It will be shown how threat information can be converted into different formats to allow them to be used in firewall and Intrusion Detection System (IDS) rules. This is an extension to the sharing platform and makes the creation of network level defense mechanisms efficient. Two API functions of the platform will be successfully tested and are useful because this can allow for the bulk sharing and of threat information.
- Full Text:
- Date Issued: 2016
Design of a Configurable Embedded Network Tap Flow Generation using NetFlow v9 and IPFIX Formats
- Pennefather, Sean, Irwin, Barry V W
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016
- Authors: Pennefather, Sean , Irwin, Barry V W
- Date: 2016
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427756 , vital:72460 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327622779_Design_of_a_Configurable_Embedded_Network_Tap_Flow_Generation_using_NetFlow_v9_and_IPFIX_Formats/links/5b9a19f2299bf14ad4d6a591/Design-of-a-Configurable-Embedded-Network-Tap-Flow-Generation-using-NetFlow-v9-and-IPFIX-Formats.pdf
- Description: This paper describes the design of a $200 hardware apparatus capable of passively monitoring network transmission at wire speeds of 100Mbit/s and generating NetFlow v9 or IPFIX compliant network flows for a downstream monitoring infrastructure. Testing of the apparatus hardware confirmed no network disruptions regardless of operational or power state while still being capable of correctly monitoring network traffic when configured. System testing under situations of heavy load confirmed apparatus capability at monitoring network traffic and correct generation of network flows compliant with either NetFlow v9 or IPFIX standards.
- Full Text:
- Date Issued: 2016