Feasibility Study: Computing Confidence Interval (CI) for IBR Data Using Bootstrapping Technique
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2021
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427665 , vital:72454 , https://www.researchgate.net/profile/Barry-Ir-win/publication/358895311_Feasibility_Study_Computing_Confidence_Inter-val_CI_for_IBR_Data_Using_Bootstrapping_Technique/links/621bdc469947d339eb6e578b/Feasibility-Study-Computing-Confidence-Interval-CI-for-IBR-Data-Using-Bootstrapping-Technique.pdf
- Description: Statistical bootstrapping has been used in different fields over the years since it was introduced as a technique that one can use to simulate data. In this study, parametric and nonparametric bootstrapping techniques were used to create samples of different compositions from the baseline data. The bootstrap distribution of a point estimator of a population parameter has been used in the past to produce a bootstrapped confidence interval (CI) for the parameter’s true value, if the parameter is written as a function of the population’s distribution. Population parameters are estimated with many point estimators. The study used mean as the population parameter of interest from which bootstrap samples were created. This research was more interested in the CI side of bootstrapping and it is this aspect that this paper focused on. This is the case because the study wanted to offer a certain degree of assurance and reliability of IBR data to users who may not have access to a larger ’lens’ of a network telescope to allow them to monitor security threats in their network. The primary interest in the dataset were source and destination IP (DSTIP) addresses, thus the study selected different size pools of DSTIP addresses to simulate bootstrap samples.
- Full Text:
- Date Issued: 2021
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2021
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427665 , vital:72454 , https://www.researchgate.net/profile/Barry-Ir-win/publication/358895311_Feasibility_Study_Computing_Confidence_Inter-val_CI_for_IBR_Data_Using_Bootstrapping_Technique/links/621bdc469947d339eb6e578b/Feasibility-Study-Computing-Confidence-Interval-CI-for-IBR-Data-Using-Bootstrapping-Technique.pdf
- Description: Statistical bootstrapping has been used in different fields over the years since it was introduced as a technique that one can use to simulate data. In this study, parametric and nonparametric bootstrapping techniques were used to create samples of different compositions from the baseline data. The bootstrap distribution of a point estimator of a population parameter has been used in the past to produce a bootstrapped confidence interval (CI) for the parameter’s true value, if the parameter is written as a function of the population’s distribution. Population parameters are estimated with many point estimators. The study used mean as the population parameter of interest from which bootstrap samples were created. This research was more interested in the CI side of bootstrapping and it is this aspect that this paper focused on. This is the case because the study wanted to offer a certain degree of assurance and reliability of IBR data to users who may not have access to a larger ’lens’ of a network telescope to allow them to monitor security threats in their network. The primary interest in the dataset were source and destination IP (DSTIP) addresses, thus the study selected different size pools of DSTIP addresses to simulate bootstrap samples.
- Full Text:
- Date Issued: 2021
An Evaluation of Text Mining Techniques in Sampling of Network Ports from IBR Traffic
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427630 , vital:72452 , https://www.researchgate.net/profile/Stones-Chindi-pha/publication/335910179_An_Evaluation_of_Text_Mining_Techniques_in_Sampling_of_Network_Ports_from_IBR_Traffic/links/5d833084458515cbd1985a38/An-Evaluation-of-Text-Mining-Techniques-in-Sampling-of-Network-Ports-from-IBR-Traffic.pdf
- Description: Information retrieval (IR) has had techniques that have been used to gauge the extent to which certain keywords can be retrieved from a document. These techniques have been used to measure similarities in duplicated images, native language identification, optimize algorithms, among others. With this notion, this study proposes the use of four of the Information Retrieval Techniques (IRT/IR) to gauge the implications of sampling a/24 IPv4 ports into smaller subnet equivalents. Using IR, this paper shows how the ports found in a/24 IPv4 net-block relate to those found in the smaller subnet equivalents. Using Internet Background Radiation (IBR) data that was collected from Rhodes University, the study found compelling evidence of the viability of using such techniques in sampling datasets. Essentially, being able to identify the variation that comes with sampling the baseline dataset. It shows how the various samples are similar to the baseline dataset. The correlation observed in the scores proves how viable these techniques are to quantifying variations in the sampling of IBR data. In this way, one can identify which subnet equivalent best represents the unique ports found in the baseline dataset (IPv4 net-block dataset).
- Full Text:
- Date Issued: 2019
Quantifying the accuracy of small subnet-equivalent sampling of IPv4 internet background radiation datasets
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430271 , vital:72679 , https://doi.org/10.1145/3351108.3351129
- Description: Network telescopes have been used for over a decade to aid in identifying threats by gathering unsolicited network traffic. This Internet Background Radiation (IBR) data has proved to be a significant source of intelligence in combating emerging threats on the Internet at large. Traditionally, operation has required a significant contiguous block of IP addresses. Continued operation of such sensors by researchers and adoption by organisations as part of its operation intelligence is becoming a challenge due to the global shortage of IPv4 addresses. The pressure is on to use allocated IP addresses for operational purposes. Future use of IBR collection methods is likely to be limited to smaller IP address pools, which may not be contiguous. This paper offers a first step towards evaluating the feasibility of such small sensors. An evaluation is conducted of the random sampling of various subnet sized equivalents. The accuracy of observable data is compared against a traditional 'small' IPv4 network telescope using a /24 net-block. Results show that for much of the IBR data, sensors consisting of smaller, non-contiguous blocks of addresses are able to achieve high accuracy rates vs. the base case. While the results obtained given the current nature of IBR, it proves the viability for organisations to utilise free IP addresses within their networks for IBR collection and ultimately the production of Threat intelligence.
- Full Text:
- Date Issued: 2019
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2019
- Subjects: To be catalogued
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/430271 , vital:72679 , https://doi.org/10.1145/3351108.3351129
- Description: Network telescopes have been used for over a decade to aid in identifying threats by gathering unsolicited network traffic. This Internet Background Radiation (IBR) data has proved to be a significant source of intelligence in combating emerging threats on the Internet at large. Traditionally, operation has required a significant contiguous block of IP addresses. Continued operation of such sensors by researchers and adoption by organisations as part of its operation intelligence is becoming a challenge due to the global shortage of IPv4 addresses. The pressure is on to use allocated IP addresses for operational purposes. Future use of IBR collection methods is likely to be limited to smaller IP address pools, which may not be contiguous. This paper offers a first step towards evaluating the feasibility of such small sensors. An evaluation is conducted of the random sampling of various subnet sized equivalents. The accuracy of observable data is compared against a traditional 'small' IPv4 network telescope using a /24 net-block. Results show that for much of the IBR data, sensors consisting of smaller, non-contiguous blocks of addresses are able to achieve high accuracy rates vs. the base case. While the results obtained given the current nature of IBR, it proves the viability for organisations to utilise free IP addresses within their networks for IBR collection and ultimately the production of Threat intelligence.
- Full Text:
- Date Issued: 2019
Effectiveness of Sampling a Small Sized Network Telescope in Internet Background Radiation Data Collection
- Chindipha, Stones D, Irwin, Barry V W, Herbert, Alan
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427646 , vital:72453 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Net-work_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
- Authors: Chindipha, Stones D , Irwin, Barry V W , Herbert, Alan
- Date: 2018
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427646 , vital:72453 , https://www.researchgate.net/profile/Barry-Ir-win/publication/327624431_Effectiveness_of_Sampling_a_Small_Sized_Net-work_Telescope_in_Internet_Background_Radiation_Data_Collection/links/5b9a5067299bf14ad4d793a1/Effectiveness-of-Sampling-a-Small-Sized-Network-Telescope-in-Internet-Background-Radiation-Data-Collection.pdf
- Description: What is known today as the modern Internet has long relied on the existence of, and use of, IPv4 addresses. However, due to the rapid growth of the Internet of Things (IoT), and limited address space within IPv4, acquiring large IPv4 subnetworks is becoming increasingly difficult. The exhaustion of the IPv4 address space has made it near impossible for organizations to gain access to large blocks of IP space. This is of great concern particularly in the security space which often relies on acquiring large network blocks for performing a technique called Internet Background Radiation (IBR) monitoring. This technique monitors IPv4 addresses which have no services running on them. In practice, no traffic should ever arrive at such an IPv4 address, and so is marked as an anomaly, and thus recorded and analyzed. This research aims to address the problem brought forth by IPv4 address space exhaustion in relation to IBR monitoring. This study’s intent is to identify the smallest subnet that best represents the attributes found in the/24 IPv4 address. This is done by determining how well a subset of the monitored original subnetwork represents the information gathered by the original subnetwork. Determining the best method of selecting a subset of IPv4 addresses from a subnetwork will enable IBR research to continue in the best way possible in an ever restricting research space.
- Full Text:
- Date Issued: 2018
An analysis on the re-emergence of SQL Slammer worm using network telescope data
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2017
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428326 , vital:72503 , https://researchspace.csir.co.za/dspace/bitstream/handle/10204/9705/Chindipha_19658_2017.pdf?sequence=1ansisAllowed=y
- Description: The SQL Slammer worm is a self propagated computer virus that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. An observation of network traffic captured in the Rhodes University’s network telescopes shows that traf-fic observed in it shows an escalation in the number of packets cap-tured by the telescopes between January 2014 and December 2016 when the expected traffic was meant to take a constant decline in UDP packets from port 1434. Using data captured over a period of 84 months, the analysis done in this study identified top ten /24 source IP addresses that Slammer worm repeatedly used for this attack together with their geolocation. It also shows the trend of UDP 1434 packets re-ceived by the two network telescopes from January 2009 to December 2015. In line with epidemic model, the paper has shown how this traffic fits in as SQL Slammer worm attack. Consistent number of packets ob-served in the two telescopes between 2014 and 2016 shows qualities of the Slammer worm attack. Basic time series and decomposition of additive time series graphs have been used to show trend and ob-served UDP packets over the time frame of study.
- Full Text:
- Date Issued: 2017
Cyber Vulnerability Assessment: Case Study of Malawi and Tanzania
- Chindipha, Stones D, Irwin, Barry V W
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428558 , vital:72520 , https://accconference.mandela.ac.za/ACCConference/media/Store/images/Proceedings-2015.pdf#page=105
- Description: Much as the Internet is beneficial to our daily activities, with each passing day it also brings along with it information security concerns for the users be they at company or national level. Each year the number of Internet users keeps growing, particularly in Africa, and this means only one thing, more cyber-attacks. Governments have become a focal point of this data leakage problem making this a matter of national security. Looking at the current state of affairs, cyber-based incidents are more likely to increase in Africa, mainly due to the increased prevalence and affordability of broadband connectivity which is coupled with lack of online security awareness. A drop in the cost of broadband connection means more people will be able to afford Internet connectivity. With open Source Intelligence (OSINT), this paper aims to perform a vulnerability analysis for states in Eastern Africa building from prior research by Swart et al. which showed that there are vulnerabilities in the information systems, using the case of South Africa as an example. States in East Africa are to be considered as candidates, with the final decision being determined by access to suitable resources, and availability of information. A comparative analysis to assess the factors that affect the degree of security susceptibilities in various states will also be made and information security measures used by various governments to ascertain the extent of their contribution to this vulnerability will be assessed. This pilot study will be extended to other Southern and Eastern African states like Botswana, Kenya, Uganda and Namibia in future work.
- Full Text:
- Date Issued: 2015
- Authors: Chindipha, Stones D , Irwin, Barry V W
- Date: 2015
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428558 , vital:72520 , https://accconference.mandela.ac.za/ACCConference/media/Store/images/Proceedings-2015.pdf#page=105
- Description: Much as the Internet is beneficial to our daily activities, with each passing day it also brings along with it information security concerns for the users be they at company or national level. Each year the number of Internet users keeps growing, particularly in Africa, and this means only one thing, more cyber-attacks. Governments have become a focal point of this data leakage problem making this a matter of national security. Looking at the current state of affairs, cyber-based incidents are more likely to increase in Africa, mainly due to the increased prevalence and affordability of broadband connectivity which is coupled with lack of online security awareness. A drop in the cost of broadband connection means more people will be able to afford Internet connectivity. With open Source Intelligence (OSINT), this paper aims to perform a vulnerability analysis for states in Eastern Africa building from prior research by Swart et al. which showed that there are vulnerabilities in the information systems, using the case of South Africa as an example. States in East Africa are to be considered as candidates, with the final decision being determined by access to suitable resources, and availability of information. A comparative analysis to assess the factors that affect the degree of security susceptibilities in various states will also be made and information security measures used by various governments to ascertain the extent of their contribution to this vulnerability will be assessed. This pilot study will be extended to other Southern and Eastern African states like Botswana, Kenya, Uganda and Namibia in future work.
- Full Text:
- Date Issued: 2015
- «
- ‹
- 1
- ›
- »