Network infrastructure is growing rapidly and as a result, network traffic is expanding beyond th... more Network infrastructure is growing rapidly and as a result, network traffic is expanding beyond the point where traditional approaches can still be used to efficiently detect anomalies. To aid in overcoming this issue, modern approaches to traffic monitoring need to be investigated. One particularly good way of representing large amounts of network traffic is with the aid of data visualisation. InetVis, an interactive tool for visualisation, was developed in 2005 by J.P van Riel under the security and networks research group at Rhodes University. It displays traffic in a 3 dimensional cube which uses source and destination addresses as well as port numbers for each dimension. Users have the ability to navigate through this 3D space through the use of a simple interface. In this paper, it is shown how easy detection and classification of anomalies can be done, as well as how efficient InetVis actually is.
The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key ... more The Strict Avalanche Criterion (SAC) is a measure of both confusion and diffusion, which are key properties of a cryptographic hash function. This work provides a working definition of the SAC, describes an experimental methodology that can be used to statistically evaluate whether a cryptographic hash meets the SAC, and uses this to investigate the degree to which compression function of the SHA-1 hash meets the SAC. The results (P < 0.01) are heartening: SHA-1 closely tracks the SAC after the first 24 rounds, and demonstrates excellent properties of confusion and diffusion throughout.
A privacy and security threat assessment framework for consumer health wearables
Health data is important as it provides an individual with knowledge of the factors needed to be ... more Health data is important as it provides an individual with knowledge of the factors needed to be improved for oneself. The development of fitness trackers and their associated software aid consumers to understand the manner in which they may improve their physical wellness. These devices are capable of collecting health data for a consumer such sleeping patterns, heart rate readings or the number of steps taken by an individual. Although, this information is very beneficial to guide a consumer to a better healthier state, it has been identified that they have privacy and security concerns. Privacy and Security are of great concern for fitness trackers and their associated applications as protecting health data is of critical importance. This is so, as health data is one of the highly sort after information by cyber criminals. Fitness trackers and their associated applications have been identified to contain privacy and security concerns that places the health data of consumers at risk to intruders. As the study of Consumer Health continues to grow it is vital to understand the elements that are needed to better protect the health information of a consumer. This research paper therefore provides a conceptual threat assessment framework that can be used to identify the elements needed to better secure Consumer Health Wearables. These elements consist of six core elements from the CIA triad and Microsoft STRIDE framework. Fourteen vulnerabilities were further discovered that were classified within these six core elements. Through this, better guidance can be achieved to improve the privacy and security of Consumer Health Wearables.
Investigating the Utilization of the Secure Hash Algorithm to Generate Electromagnetic Noise
This research introduces an electromagnetic (EM) noise generator known as the FRIES noise generat... more This research introduces an electromagnetic (EM) noise generator known as the FRIES noise generator to mitigate and obfuscate Side Channel Analysis (SCA) attacks against a Raspberry Pi. The FRIES noise generator utilizes the implementation of the Secure Hash Algorithm (SHA) from OpenSSL to generate white noise within the EM spectrum. This research further contributes to the body of knowledge by demonstrating that the SHA implementation of libcrypto++ and OpenSSL had different EM signatures. It was further revealed that as a more secure implementation of the SHA was executed additional data lines were used, resulting in increased EM emissions. It was demonstrated that the OpenSSL implementations of the SHA was more optimized as opposed to the libcrypto++ implementation by utilizing less resources and not leaving the device in a bottleneck. The FRIES daemon added noise to the EM leakage which prevents the visual location of the AES-128 cryptographic implementation. Finally, the cross-correlation test demonstrated that the EM features of the AES-128 algorithm was not detected within the FRIES noise.
Conventional (text-based) passwords have shown patterns such as variations on the username, or kn... more Conventional (text-based) passwords have shown patterns such as variations on the username, or known passwords such as "password", "admin" or "12345". Patterns may similarly be detected in the use of Graphical passwords (GPs). The most significant such pattern-reported by many researchers-is hotspot clustering. This paper qualitatively analyses more than 200 graphical passwords for patterns other than the classically reported hotspots. The qualitative analysis finds that a significant percentage of passwords fall into a small set of patterns; patterns that can be used to form attack models against GPs. In counter action, these patterns can also be used to educate users so that future password selection is more secure. It is the hope that the outcome from this research will lead to improved behaviour and an enhancement in graphical password security.
This research investigates changes in the electromagnetic (EM) signatures of a cryptographic bina... more This research investigates changes in the electromagnetic (EM) signatures of a cryptographic binary executable based on compile-time parameters to the GNU and clang compilers. The source code is compiled and executed on the Raspberry Pi 2 which utilizes the ARMv7 CPU. Various optimization flags are enabled at compile-time and the output of the binary executable's EM signatures are captured at run time. It is demonstrated that GNU and clang compilers produced different EM signature on program execution. The results indicated while utilizing the optimization flag O3 the EM signature of the program changes. Additionally, the g++ compiler demonstrated fewer instructions were required to run the executable, this related to fewer EM emissions leaked. The EM data from the various compilers under different optimization levels was used as input data for a correlation power analysis attack. The results indicated that partial AES-128 encryption keys was possible. In addition, the fewest subkeys recovered was when the clang compiler was used with level O2 optimization. Finally, the research was able to recover 15 of 16 AES-128 cryptographic algorithm's subkeys. CCS CONCEPTS • Security and privacy → Side-channel analysis and countermeasures; Cryptanalysis and other attacks; Tamper-proof and tamper-resistant designs;
Investigating the electromagnetic side channel leakage from a Raspberry Pi
This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. ... more This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. An evaluation is performed on the EM leakage as the device executes the AES-128 cryptographic algorithm contained in the Crypto++ library in a threaded environment. Four multi-threaded implementations are evaluated. These implementations are Portable Operating System Interface Threads, C++11 threads, Threading Building Blocks, and OpenMP threads. It is demonstrated that the various thread techniques have distinct variations in frequency and shape as EM emanations is leaked from the Raspberry Pi. Additionally, noise is introduced while the cryptographic algorithm executes. The results indicates that tt is still possible to visibly see the execution of the cryptographic algorithm. However, out of 50 occasions the cryptographic execution was not detected 32 times. It was further identified when calculating prime numbers, the cryptographic algorithm becomes hidden. Furthermore, the analysis pointed in the direction that when high prime numbers are calculated there is a window where the cryptographic algorithm can not be seen visibly in the EM spectrum.
This research investigates the use of a multi-threaded framework as a software countermeasure mec... more This research investigates the use of a multi-threaded framework as a software countermeasure mechanism to prevent attacks on the verifypin process in a pin-acceptance program. The implementation comprises of using various mathematical operations alongside a pin-acceptance program in a multi-threaded environment. These threads are inserted randomly on each execution of the program to create confusion for the attacker. Moreover, the research proposes a more improved version of the pin-acceptance program by segmenting the program. The conventional approach is to check each character one at a time. This research takes the verifying process and separates each character check into its individual thread. Furthermore, the order of each verified thread is randomised. This further assists in the obfuscation of the process where the system checks for a correct character. Finally, the research demonstrates it is able to be more secure than the conventional countermeasures of random time delays and insertion of dummy code.
Extending the NFComms framework for bulk data transfers
In this paper we present the design and implementation of an indirect messaging extension for the... more In this paper we present the design and implementation of an indirect messaging extension for the existing NFComms framework that provides communication between a network flow processor and host CPU. This extension addresses the bulk throughput limitations of the framework and is intended to work in conjunction with existing communication mediums. Testing of the framework extensions shows an increase in throughput performance of up to 300× that of the current direct message passing framework at the cost of increased single message latency of up to 2×. This trade-off is considered acceptable as the proposed extensions are intended for bulk data transfer only while the existing message passing functionality of the framework is preserved and can be used in situations where low latency is required for small messages.
Investigating Multi-Thread Utilization as a Software Defence Mechanism Against Side Channel Attacks
A state-of-the-art software countermeasure to defend against side channel attacks is investigated... more A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
In this research we present a novel implementation for a software countermeasure to mitigate Corr... more In this research we present a novel implementation for a software countermeasure to mitigate Correlation Power Analysis (CPA). This countermeasure combines pseudo controlled-random dummy code and a task scheduler using multi threads to form dynamic power traces which obscures the occurrence of critical operations of the AES-128 algorithm. This work investigates the use of a task scheduler to generate noise at specific areas in the AES-128 algorithm to mitigate the CPA attack. The dynamic power traces have shown to be an effective contermeasure, as it obscures the CPA into predicting the incorrect secret key. Furthermore, the countermeasure is tested on an ATmega and an ATxmega microcontroller. The basic side channel analysis attack resistance has been increased and in both scenarios the proposed countermeasure has reduced the correlation accuracy and forced the CPA to predict the incorect key. The correlation accuracy decreased from 97.6% to 53.6% on the ATmega microntroller, and decreased from 82% to 51.4% on the ATxmega microcontroller.
Botnets consist of thousands of hosts infected with malware. Botnet owners communicate with these... more Botnets consist of thousands of hosts infected with malware. Botnet owners communicate with these hosts using Command and Control (C2) servers. These C2 servers are usually infected hosts which the botnet owners do not have physical access to. For this reason botnets can be shut down by taking over or blocking the C2 servers. Botnet owners have employed numerous shutdown avoidance techniques. One of these techniques, DNS Fast-Flux, relies on rapidly changing address records. The addresses returned by the Fast-Flux DNS servers consist of geographically widely distributed hosts. The distributed nature of Fast-Flux botnets differs from legitimate domains, which tend to have geographically clustered server locations. This paper examines the use of spatial autocorrelation techniques based on the geographic distribution of domain servers to detect Fast-Flux domains. Moran's I and Geary's C are used to produce classifiers using multiple geographic coordinate systems to produce efficient and accurate results. It is shown how Fast-Flux domains can be detected reliably while only a small percentage of false positives are produced.
Quantifying the Accuracy of Small Subnet-Equivalent Sampling of IPv4 Internet Background Radiation Datasets
Network telescopes have been used for over a decade to aid in identifying threats by gathering un... more Network telescopes have been used for over a decade to aid in identifying threats by gathering unsolicited network traffic. This Internet Background Radiation (IBR) data has proved to be a significant source of intelligence in combating emerging threats on the Internet at large. Traditionally, operation has required a significant contiguous block of IP addresses. Continued operation of such sensors by researchers and adoption by organisations as part of its operation intelligence is becoming a challenge due to the global shortage of IPv4 addresses. The pressure is on to use allocated IP addresses for operational purposes. Future use of IBR collection methods is likely to be limited to smaller IP address pools, which may not be contiguous. This paper offers a first step towards evaluating the feasibility of such small sensors. An evaluation is conducted of the random sampling of various subnet sized equivalents. The accuracy of observable data is compared against a traditional 'small' IPv4 network telescope using a /24 net-block. Results show that for much of the IBR data, sensors consisting of smaller, non-contiguous blocks of addresses are able to achieve high accuracy rates vs. the base case. While the results obtained given the current nature of IBR, it proves the viability for organisations to utilise free IP addresses within their networks for IBR collection and ultimately the production of Threat intelligence.
Most current Network Intrusion Detection Systems (NIDS) perform detection by matching traffic to ... more Most current Network Intrusion Detection Systems (NIDS) perform detection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the system to deploy new algorithms. As a result, anomaly detection algorithms are time consuming, difficult and cumbersome to develop. This paper presents an alternative system which permits the deployment of anomaly detection algorithms without the need to even restart the NIDS. This system is, therefore, suitable for the rapid development of new algorithms, or in environments where high-availability is required.
Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the nee... more Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the need to transport data in real-time, often at the expense of security. The neglect of secure VoIP is often intentional, as developers are striving to minimise overheads and delays. The Secure Real-Time Protocol (SRTP) has the potential to secure real-time streams without exacting too high a performance price. SRTP is the addition of security to the audio/video profile used in the Real-Time Transport Protocol (RTP). SRTP adds confidentiality, integrity and optionaly authenticity to RTP media streams. This paper focuses on the integration of SRTP into Asterisk, an open-source VoIP PBX. SRTP support has recently been added to Asterisk by Mikael Magnusson. This paper analyses Magnusson's implementation, contrasting it to a proof-of-concept implementation developed independently at Rhodes University. The interoperability of SRTP implementations cannot be taken for granted, given the relatively recent standardization of the protocol, and so Magnusson's implementation is tested against another SRTP implementation. Finally, the paper highlights a major shortcoming in Magnusson's implementation, namely that the exchange of encryption keys is done in the clear. It concludes by proposing possible solutions, such as TLS, IPSec and MIkey.
Network telescopes and honeypots have been used with great success to record malicious network tr... more Network telescopes and honeypots have been used with great success to record malicious network traffic for analysis, however, this is often done off-line well after the traffic was observed. This has left us with only a cursory understanding of malicious hosts and no knowledge of the software they run, uptime or other malicious activity they may have participated in. This work covers a messaging framework (rDSN) that was developed to allow for the real-time analysis of malicious traffic. This data was captured from multiple, distributed honeypots and network telescopes. Data was collected over a period of two months from these data sensors. Using this data new techniques for malicious host analysis and re-identification in dynamic IP address space were explored. An Automated Reconnaissance (AR) Framework was developed to aid the process of data collection, this framework was responsible for gathering information from malicious hosts through both passive and active fingerprinting techniques. From the analysis of this data; correlations between malicious hosts were identified based on characteristics such as Operating System, targeted service, location and services running on the malicious hosts. An initial investigation in Latency Based Multilateration (LBM), a novel technique to assist in host reidentification was tested and proved successful as a supporting metric for host re-identification.
This research has been undertaken to empirically test the assumption that it is trivial to bypass... more This research has been undertaken to empirically test the assumption that it is trivial to bypass an antivirus application and to gauge the effectiveness of antivirus engines when faced with a number of known evasion techniques. A known malicious binary was combined with evasion techniques and deployed against several antivirus engines to test their detection ability. The research also documents the process of setting up an environment for testing antivirus engines as well as building the evasion techniques used in the tests. This environment facilitated the empirical testing that was needed to determine if the assumption that antivirus security controls could easily be bypassed. The results of the empirical tests are also presented in this research and demonstrate that it is indeed within reason that an attacker can evade multiple antivirus engines without much effort. As such while an antivirus application is useful for protecting against known threats, it does not work as effectively against unknown threats.
This article illustrates the merits of visual analysis as it presents preliminary findings using ... more This article illustrates the merits of visual analysis as it presents preliminary findings using InetVis-an animated 3-D scatter plot visualization of network events. The concepts and features of InetVis are evaluated with reference to related work in the field. Tested against a network scanning tool, anticipated visual signs of port scanning and network mapping serve as a proof of concept. This research also unveils substantial amounts of suspicious activity present in Internet traffic during August 2005, as captured by a class C network telescope. InetVis is found to have promising scalability whilst offering salient depictions of intrusive network activity.
Uploads
Papers by Barry Irwin