The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Reports and Papers Archive


Browse All Papers »       Submit A Paper »

Internet & Web Law 1996

William J. Cook
Added 2016-12-01



Distributed Intrusion Detection System (DIDS) User Manual

Trident Data Systems
Added 2016-11-29



Firewalls & Internet Security Conference

National Computer Security Association
Added 2016-11-29


Report to the President June 2005: Computational Science: Ensuring America's Competitiveness

President's Information Technology Advisory Commitee
Added 2016-11-29

Analyzing Computer Intrusions

Andrew H. Gross
Added 2016-11-29

Computer Viruses

David J. Stang
Added 2016-11-11

E-lection 2004 Is e-voting ready for prime time?

John Marshall Law School
Added 2016-11-11

Spyder

Trident Data Systems
Added 2016-11-11

Computational Environment for Modeling and Analysing Network Traffic Behaviour using the Divide and Recombine Framework

CERIAS TR 2016-6
Ashrith Barthur
Download: PDF

There are two essential goals of this research. The first goal is to design and construct a computational environment that is used for studying large and complex datasets in the cybersecurity domain. The second goal is to analyse the Spamhaus blacklist query dataset which includes uncovering the properties of blacklisted hosts and understanding the nature of blacklisted hosts over time. The analytical environment enables deep analysis of very large and complex datasets by exploiting the divide and recombine framework. The capability to analyse data in depth enables one to go beyond just summary statistics in research. This deep analysis is at the highest level of granularity without any compromise on the size of the data. The environment is also, fully capable of processing the raw data into a data structure suited for analysis. Spamhaus is an organisation that identifies malicious hosts on the Internet. Information about malicious hosts are stored in a distributed database by Spamhaus and served through the DNS protocol query-response. Spamhaus and other malicious-host-blacklisting organisations have replaced smaller malicious host databases curated independently by multiple organisations for their internal needs. Spamhaus services are popular due to their free access, exhaustive information, historical information, simple DNS based implementation, and reliability. The malicious host information obtained from these databases are used in the first step of weeding out potentially harmful hosts on the internet. During the course of this research work a detailed packet-level analysis was carried out on the Spamhaus blacklist data. It was observed that the query-responses displayed some peculiar behaviours. These anomalies were studied and modeled, and identified to be showing definite patterns. These patterns are empirical proof of a systemic or statistical phenomenon.

Added 2016-10-17

BUILDING A DIGITAL FORENSIC INVESTIGATION TECHNIQUE FOR FORENSICALLY SOUND ANALYSIS OF COVERT CHANNELS IN IPV6 AND ICMPV6, USING CUSTOM IDS SIGNATURES AND FIREWALL SYSTEM LOGS

CERIAS TR 2016-7
Lourdes Gino Dominic Savio
Download: PDF

Covert Channels are communication channels used for information transfer, and created by violating the security policies of a system (Latham, 1986, p. 80). Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite has features, functionality and options which could be exploited by cyber criminals to leak data or for anonymous communications, through covert channels. With the advent of IPv6, researchers are on the lookout for covert channels in IPv6 and one of them demonstrated a proof of concept in 2006. Nine years hence, IPv6 and its related protocols have undergone major changes, which introduced a need to reevaluate the current situation of IPv6. The current research is a continuation of our (author of this thesis - Lourdes, and committee member - Prof. Hansen) previous studies (Lourdes & Hansen, 2015, 2016), which demonstrated the corroboration of covert channels in IPv6 and ICMPv6 by building a software for the same and testing against a simulated enterprise network. Our study had also explained how some of the enterprise firewalls and Intrusion Detection Systems (IDS) do not currently detect such covert channels, and how they could be tuned to detect them. The current research aimed at understanding if these detection mechanisms (IDS signatures) of IPv6 and ICMPv6 covert channels are forensically sound, and at exploring if the system logs left by such covert channels in the firewall could provide forensically sound evidence. The current research showed that the IDS signatures that detected certain covert channels in IPv6 and ICMPv6, conformed to the forensic soundness criteria of ‘validity of the scientific method’, and ‘known/potential error rates’. The current research also showed that the firewall system logs potentially detected certain covert channels in IPv6 and ICMPv6 and also conformed to the forensic soundness criteria of ‘validity of the scientific method’. Thus the current study showed that these could be used as digital forensic investigation techniques for network forensics of certain types of covert channels in IPv6 and ICMPv6.

Added 2016-09-06