Barry Irwin | Noroff University College (original) (raw)
Papers by Barry Irwin
International Conference on Intelligent and Innovative Computing Applications
This research explains both why logging is useful and why the integrity of logs and the logging p... more This research explains both why logging is useful and why the integrity of logs and the logging process is important. This is followed by a discussion of the design and implementation of a high-performance secure logging framework, implemented in Golang (Go). This is implemented as a server-client for *nix-like systems, with a focus on security first. While a custom protocol is introduced for security, the server remains compatible with traditional syslog log messages, albeit without the added performance and security features. The functionality of the implementation is reflected on along with preliminary performance bench-marking. While most of the design goals are satisfied, one notable area of concern is the performance hit caused through the use of RSA encryption. Aside from this the system was found to perform well with logging rates in excess of 20 thousand events per second achieved. The work concludes with some suggestions for improvements and future work.
Abstract—This paper presents results form the analysis of twelve months of network telescope traf... more Abstract—This paper presents results form the analysis of twelve months of network telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are highlighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Africa in particular) was also found to be surprisingly high. This unexpected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are presented. It is found that a country with a high penetration of broadband connectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
International Conference on Intelligent and Innovative Computing Applications
This paper explores the contribution made by IPv4 address space attributable to Mauritian organis... more This paper explores the contribution made by IPv4 address space attributable to Mauritian organisations to the Internet Background Radiation (IBR). Data spanning a duration of 19 months starting in January 2021, from six discrete network telescopes is used as the basis for the analysis. A decomposition of the traffic is presented considering top origins by both ASN and netblock. An analysis is presented on the top 10 targeted TCP ports across the data. Alongside this an exploration is done into some of the more unusual probing for known vulnerable services that was observed. A determination of the reflected traffic and consideration of identified anomalies concludes the analysis. Mauritian IP address space is found to be relatively well regulated, and not have a large population of contributors to IBR either via active scanning or via reflected traffic.
Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists, 2018
In this paper we present the design and implementation of an indirect messaging extension for the... more In this paper we present the design and implementation of an indirect messaging extension for the existing NFComms framework that provides communication between a network flow processor and host CPU. This extension addresses the bulk throughput limitations of the framework and is intended to work in conjunction with existing communication mediums. Testing of the framework extensions shows an increase in throughput performance of up to 300× that of the current direct message passing framework at the cost of increased single message latency of up to 2×. This trade-off is considered acceptable as the proposed extensions are intended for bulk data transfer only while the existing message passing functionality of the framework is preserved and can be used in situations where low latency is required for small messages.
The research presented by this paper is an exploration of network security visualizations. It is ... more The research presented by this paper is an exploration of network security visualizations. It is argued that visual representations of data allow us to pick up anomalous and suspicious traffic patterns. They also afford an intuitive holistic understanding of data; an understanding of data that would otherwise be lost (or hard to come by) if data were reviewed in a textual format. As an integral part of this research, graphical methods for representing network events are evaluated, and the ability to identify intrusive traffic patterns is a primary criterion for this evaluation. A literature survey of several network visualizations aims to provide a perspective on the current ‘state of the art ’ in the field. From this survey, scalability is identified as a concern. Points are argued for as a simple and scalable visual metaphor to represent events (instead of the conventional line metaphors employed in many visualizations). Practical research of this involves a 3-D animated and inter...
The annual Southern Africa Telecommunication Networks and Applications Conference (SATNAC), Kogel... more The annual Southern Africa Telecommunication Networks and Applications Conference (SATNAC), Kogelberg Biosphere Reserve, Hermanus, Western Cape, South Africa, 6-9 September 2015. Due to copyright restrictions, the attached PDF file only contains the abstract of the full text item. For access to the full text item, please consult the publisher's website.
This paper describes the design and application of Link, a Domain Specific Language (DSL) targeti... more This paper describes the design and application of Link, a Domain Specific Language (DSL) targeting the development of network applications focused on traffic manipulation at the frame level. The development of Link is described through the identification and evaluation of intended applications and an example translator is implemented to target the FRAME board which was developed in conjunction with this research. Four application examples are then provided to help describe the feasibility of Link when used in conjunction with the implemented translator.
Proceedings of the 8th International Conference on Signal Processing Systems - ICSPS 2016, 2016
A state-of-the-art software countermeasure to defend against side channel attacks is investigated... more A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
2016 2nd International Conference on Frontiers of Signal Processing (ICFSP), 2016
International Journal of Cyber Warfare and Terrorism, 2016
The potential attack surface of a nation is large and no single source of cyber security data pro... more The potential attack surface of a nation is large and no single source of cyber security data provides all the required information to accurately describe the cyber security readiness of a nation. There are a variety of specialised data sources available to assess the state of a nation in key areas such as botnets, spam servers and incorrectly configured hosts. By applying data fusion principles, the potential exists to provide a representative view of all combined data sources. This research will examine a variety of currently available Internet data sources and apply it to an adapted Joint Directors of Laboratories (JDL) data fusion model in order to illustrate the potential gains and current limitations. The JDL model has been adapted to suit national level cyber sensor data fusion with the aim to formally define and reduce data ambiguity and enhance fusion capability in a real world system. A case study highlights the results of applying available open source security informatio...
2013 Information Security for South Africa, 2013
Packet demultiplexing and analysis is a core concern for network security, and has hence inspired... more Packet demultiplexing and analysis is a core concern for network security, and has hence inspired numerous optimisation attempts since their conception in early packet demultiplexing filters such as CSPF and BPF. These optimisations have generally, but not exclusively, focused on improving the speed of packet classification. Despite these improvements however, packet filters require further optimisation in order to be effectively applied within next generation networks. One identified optimisation is that of reducing the average path length of the global filter by selecting an optimum filter permutation. Since redundant code generation does not change the order of computation, the initial filter order before filter optimisation affects the average path length of the resultant control-flow graph, thus selection of an optimum permutation of filters could provide significant performance improvements. Unfortunately, this problem is NP-Complete. In this paper, we consider using Genetic A...
Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the nee... more Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the need to transport data in real-time, often at the expense of security. The neglect of secure VoIP is often intentional, as developers are striving to minimise overheads and delays. The Secure Real-Time Protocol (SRTP) has the potential to secure real-time streams without exacting too high a performance price. SRTP is the addition of security to the audio/video profile used in the Real-Time Transport Protocol (RTP). SRTP adds confidentiality, integrity and optionaly authenticity to RTP media streams. This paper focuses on the integration of SRTP into Asterisk, an open-source VoIP PBX. SRTP support has recently been added to Asterisk by Mikael Magnusson. This paper analyses Magnusson’s implementation, contrasting it to a proof-of-concept implementation developed independently at Rhodes University. The interoperability of SRTP implementations cannot be taken for granted, given the relatively r...
... Analysis of SQL injection (2005). Download: http://research.ict.ru.ac.za/g01r0806/HnsThesis. ... more ... Analysis of SQL injection (2005). Download: http://research.ict.ru.ac.za/g01r0806/HnsThesis. pd CACHED: Download as a PDF. by Barry Irwin. Add To MetaCart. Add to Collection; ... MISC{Irwin05analysisof, author = {Barry Irwin}, title = {Analysis of SQL injection}, year = {2005} }. ...
Most current Network Intrusion Detection Systems (NIDS) perform detection by matching traffic to ... more Most current Network Intrusion Detection Systems (NIDS) perform detection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the system to deploy new algorithms. As a result, anomaly detection algorithms are time consuming, difficult and cumbersome to develop. This paper presents an alternative system which permits the deployment of anomaly detection algorithms without the need to even restart the NIDS. This system is, therefore, suitable for the rapid development of new algorithms, or in environments where high-availability is required.
2017 Information Security for South Africa (ISSA)
This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. ... more This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. An evaluation is performed on the EM leakage as the device executes the AES-128 cryptographic algorithm contained in the Crypto++ library in a threaded environment. Four multi-threaded implementations are evaluated. These implementations are Portable Operating System Interface Threads, C++11 threads, Threading Building Blocks, and OpenMP threads. It is demonstrated that the various thread techniques have distinct variations in frequency and shape as EM emanations is leaked from the Raspberry Pi. Additionally, noise is introduced while the cryptographic algorithm executes. The results indicates that tt is still possible to visibly see the execution of the cryptographic algorithm. However, out of 50 occasions the cryptographic execution was not detected 32 times. It was further identified when calculating prime numbers, the cryptographic algorithm becomes hidden. Furthermore, the analysis pointed in the direction that when high prime numbers are calculated there is a window where the cryptographic algorithm can not be seen visibly in the EM spectrum.
AbstractThis paper presents results form the analysis of twelve months of network telescope traf... more AbstractThis paper presents results form the analysis of twelve months of network telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are highlighted. In particular the bulk of traffic analysed had its ...
2013 International Conference on Adaptive Science and Technology, 2013
International Conference on Intelligent and Innovative Computing Applications
This research explains both why logging is useful and why the integrity of logs and the logging p... more This research explains both why logging is useful and why the integrity of logs and the logging process is important. This is followed by a discussion of the design and implementation of a high-performance secure logging framework, implemented in Golang (Go). This is implemented as a server-client for *nix-like systems, with a focus on security first. While a custom protocol is introduced for security, the server remains compatible with traditional syslog log messages, albeit without the added performance and security features. The functionality of the implementation is reflected on along with preliminary performance bench-marking. While most of the design goals are satisfied, one notable area of concern is the performance hit caused through the use of RSA encryption. Aside from this the system was found to perform well with logging rates in excess of 20 thousand events per second achieved. The work concludes with some suggestions for improvements and future work.
Abstract—This paper presents results form the analysis of twelve months of network telescope traf... more Abstract—This paper presents results form the analysis of twelve months of network telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are highlighted. In particular the bulk of traffic analysed had its source in the China from a volume perspective, but Eastern United States, and North Western Europe were shown to be primary sources when the number of unique hosts were considered. Traffic from African states (South Africa in particular) was also found to be surprisingly high. This unexpected result may be due to the network locality preference of many automated agents. Both statistical and graphical analysis are presented. It is found that a country with a high penetration of broadband connectivity is likley to feature highly in Network telescope traffic, as are networks logically close to the telescope network.
International Conference on Intelligent and Innovative Computing Applications
This paper explores the contribution made by IPv4 address space attributable to Mauritian organis... more This paper explores the contribution made by IPv4 address space attributable to Mauritian organisations to the Internet Background Radiation (IBR). Data spanning a duration of 19 months starting in January 2021, from six discrete network telescopes is used as the basis for the analysis. A decomposition of the traffic is presented considering top origins by both ASN and netblock. An analysis is presented on the top 10 targeted TCP ports across the data. Alongside this an exploration is done into some of the more unusual probing for known vulnerable services that was observed. A determination of the reflected traffic and consideration of identified anomalies concludes the analysis. Mauritian IP address space is found to be relatively well regulated, and not have a large population of contributors to IBR either via active scanning or via reflected traffic.
Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists, 2018
In this paper we present the design and implementation of an indirect messaging extension for the... more In this paper we present the design and implementation of an indirect messaging extension for the existing NFComms framework that provides communication between a network flow processor and host CPU. This extension addresses the bulk throughput limitations of the framework and is intended to work in conjunction with existing communication mediums. Testing of the framework extensions shows an increase in throughput performance of up to 300× that of the current direct message passing framework at the cost of increased single message latency of up to 2×. This trade-off is considered acceptable as the proposed extensions are intended for bulk data transfer only while the existing message passing functionality of the framework is preserved and can be used in situations where low latency is required for small messages.
The research presented by this paper is an exploration of network security visualizations. It is ... more The research presented by this paper is an exploration of network security visualizations. It is argued that visual representations of data allow us to pick up anomalous and suspicious traffic patterns. They also afford an intuitive holistic understanding of data; an understanding of data that would otherwise be lost (or hard to come by) if data were reviewed in a textual format. As an integral part of this research, graphical methods for representing network events are evaluated, and the ability to identify intrusive traffic patterns is a primary criterion for this evaluation. A literature survey of several network visualizations aims to provide a perspective on the current ‘state of the art ’ in the field. From this survey, scalability is identified as a concern. Points are argued for as a simple and scalable visual metaphor to represent events (instead of the conventional line metaphors employed in many visualizations). Practical research of this involves a 3-D animated and inter...
The annual Southern Africa Telecommunication Networks and Applications Conference (SATNAC), Kogel... more The annual Southern Africa Telecommunication Networks and Applications Conference (SATNAC), Kogelberg Biosphere Reserve, Hermanus, Western Cape, South Africa, 6-9 September 2015. Due to copyright restrictions, the attached PDF file only contains the abstract of the full text item. For access to the full text item, please consult the publisher's website.
This paper describes the design and application of Link, a Domain Specific Language (DSL) targeti... more This paper describes the design and application of Link, a Domain Specific Language (DSL) targeting the development of network applications focused on traffic manipulation at the frame level. The development of Link is described through the identification and evaluation of intended applications and an example translator is implemented to target the FRAME board which was developed in conjunction with this research. Four application examples are then provided to help describe the feasibility of Link when used in conjunction with the implemented translator.
Proceedings of the 8th International Conference on Signal Processing Systems - ICSPS 2016, 2016
A state-of-the-art software countermeasure to defend against side channel attacks is investigated... more A state-of-the-art software countermeasure to defend against side channel attacks is investigated in this work. The implementation of this novel approach consists of using multi-threads and a task scheduler on a microcontroller to purposefully leak out information at critical points in the cryptographic algorithm and confuse the attacker. This research demonstrates it is capable of outperforming the known countermeasure of hiding and shuffling in terms of preventing the secret information from being leaked out. Furthermore, the proposed countermeasure mitigates the side channel attacks, such as correlation power analysis and template attacks.
2016 2nd International Conference on Frontiers of Signal Processing (ICFSP), 2016
International Journal of Cyber Warfare and Terrorism, 2016
The potential attack surface of a nation is large and no single source of cyber security data pro... more The potential attack surface of a nation is large and no single source of cyber security data provides all the required information to accurately describe the cyber security readiness of a nation. There are a variety of specialised data sources available to assess the state of a nation in key areas such as botnets, spam servers and incorrectly configured hosts. By applying data fusion principles, the potential exists to provide a representative view of all combined data sources. This research will examine a variety of currently available Internet data sources and apply it to an adapted Joint Directors of Laboratories (JDL) data fusion model in order to illustrate the potential gains and current limitations. The JDL model has been adapted to suit national level cyber sensor data fusion with the aim to formally define and reduce data ambiguity and enhance fusion capability in a real world system. A case study highlights the results of applying available open source security informatio...
2013 Information Security for South Africa, 2013
Packet demultiplexing and analysis is a core concern for network security, and has hence inspired... more Packet demultiplexing and analysis is a core concern for network security, and has hence inspired numerous optimisation attempts since their conception in early packet demultiplexing filters such as CSPF and BPF. These optimisations have generally, but not exclusively, focused on improving the speed of packet classification. Despite these improvements however, packet filters require further optimisation in order to be effectively applied within next generation networks. One identified optimisation is that of reducing the average path length of the global filter by selecting an optimum filter permutation. Since redundant code generation does not change the order of computation, the initial filter order before filter optimisation affects the average path length of the resultant control-flow graph, thus selection of an optimum permutation of filters could provide significant performance improvements. Unfortunately, this problem is NP-Complete. In this paper, we consider using Genetic A...
Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the nee... more Implementations of Voice over Internet Protocol (VoIP) have focused, up to now, mainly on the need to transport data in real-time, often at the expense of security. The neglect of secure VoIP is often intentional, as developers are striving to minimise overheads and delays. The Secure Real-Time Protocol (SRTP) has the potential to secure real-time streams without exacting too high a performance price. SRTP is the addition of security to the audio/video profile used in the Real-Time Transport Protocol (RTP). SRTP adds confidentiality, integrity and optionaly authenticity to RTP media streams. This paper focuses on the integration of SRTP into Asterisk, an open-source VoIP PBX. SRTP support has recently been added to Asterisk by Mikael Magnusson. This paper analyses Magnusson’s implementation, contrasting it to a proof-of-concept implementation developed independently at Rhodes University. The interoperability of SRTP implementations cannot be taken for granted, given the relatively r...
... Analysis of SQL injection (2005). Download: http://research.ict.ru.ac.za/g01r0806/HnsThesis. ... more ... Analysis of SQL injection (2005). Download: http://research.ict.ru.ac.za/g01r0806/HnsThesis. pd CACHED: Download as a PDF. by Barry Irwin. Add To MetaCart. Add to Collection; ... MISC{Irwin05analysisof, author = {Barry Irwin}, title = {Analysis of SQL injection}, year = {2005} }. ...
Most current Network Intrusion Detection Systems (NIDS) perform detection by matching traffic to ... more Most current Network Intrusion Detection Systems (NIDS) perform detection by matching traffic to a set of known signatures. These systems have well defined mechanisms for the rapid creation and deployment of new signatures. However, despite their support for anomaly detection, this is usually limited and often requires a full recompilation of the system to deploy new algorithms. As a result, anomaly detection algorithms are time consuming, difficult and cumbersome to develop. This paper presents an alternative system which permits the deployment of anomaly detection algorithms without the need to even restart the NIDS. This system is, therefore, suitable for the rapid development of new algorithms, or in environments where high-availability is required.
2017 Information Security for South Africa (ISSA)
This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. ... more This research investigates the Electromagnetic (EM) side channel leakage of a Raspberry Pi 2 B+. An evaluation is performed on the EM leakage as the device executes the AES-128 cryptographic algorithm contained in the Crypto++ library in a threaded environment. Four multi-threaded implementations are evaluated. These implementations are Portable Operating System Interface Threads, C++11 threads, Threading Building Blocks, and OpenMP threads. It is demonstrated that the various thread techniques have distinct variations in frequency and shape as EM emanations is leaked from the Raspberry Pi. Additionally, noise is introduced while the cryptographic algorithm executes. The results indicates that tt is still possible to visibly see the execution of the cryptographic algorithm. However, out of 50 occasions the cryptographic execution was not detected 32 times. It was further identified when calculating prime numbers, the cryptographic algorithm becomes hidden. Furthermore, the analysis pointed in the direction that when high prime numbers are calculated there is a window where the cryptographic algorithm can not be seen visibly in the EM spectrum.
AbstractThis paper presents results form the analysis of twelve months of network telescope traf... more AbstractThis paper presents results form the analysis of twelve months of network telescope traffic spanning 2005 and 2006, and details some of the tools developed. The most significant results of the analysis are highlighted. In particular the bulk of traffic analysed had its ...
2013 International Conference on Adaptive Science and Technology, 2013