Back | Pr Home | Current projects | Prev. projects | Background research | [Bill's Home]
The recent success of the Hons level projects include: 2007: Winning Project (Ewan Gunn) - Young Software
Engineer of the Year Award 2007 (prize to be awarded). Link: [2007
prize winner]
Name: Benoit Jacob Botnets are networks of malware-infected machines that are controlled by an adversary are the cause of a large number of problems on the internet [1]. They are increasing faster than any other type of malware and have created a huge army of hosts over the internet. By coordinating themselves, they are able to initiate attacks of unprecedented scales [2]. An example of such a Botnet can be made in Python code. This Botnet will be able to generate a simple attack which will steal screenshots taken while the user is entering his confidential information on a bank website. The aim of this project is firstly to detect and analyse this Botnet operation and secondly to make statistics of the Intrusion Detection System detection rate.
Name: Flavien Flandrin Nowadays every organisation is connected to the Internet and more and more of the world population have access to the Internet. The development of Internet permits to simplify the communication between the people. Now it is easy to have a conversation with people from everywhere in the world. This popularity of Internet brings also new threats like viruses, worm, Trojan, or denial of services. Because of this, companies start to develop new security systems, which help in the protection of networks. The most common security tools used by companies or even by personal users at home are firewalls, antivirus and now even Intrusion Detection System (IDS). Nevertheless, this is not enough so a new security system has been created as Intrusion Prevention Systems, which are getting more popular with the time .This could be defining as the blend between a firewall and an IDS. The IPS is using the detection capability of the IDS and the response capability of a firewall. Two main types of IPS exist, Network-based Intrusion Prevention System (NIPS) and Host-based Intrusion Prevention System (HIPS). The thirst should be set-up in front of critical resources as a web server while the second is set-up inside the host and so protect only this host. Different methodologies are used to evaluate IPSs but all of them have been produced by constructors or by organisms specialised in the evaluation of security devices. This means that no standard methodology in the evaluation of IPS exists. The utilisation of such methodology permits to benchmark system in an objective way and so it will be possible to compare the results with other systems. This thesis reviews different evaluation methodologies for IPS. Because of the lack of documentation around them the analysis of IDS evaluation methodology will be also done. This will permit to help in the creation of an IPS evaluation methodology. The evaluation of such security system is vast; this is why this thesis will only focus on a particular type of threat: Distributed Denial of Service (DDoS). The evaluation methodology will be around the capacity of an IPS to handle such threat. The produced methodology is capable of generating realistic background traffic along with attacking traffic, which are DDoS attacks. Four different DDoS attacks will be used to carry out the evaluation of a chosen IPS. The evaluation metrics are the packet lost that will be evaluated on two different ways because of the selected IPS. The other metrics are the time to respond to the attack, the available bandwidth, the latency, the reliability, the CPU load, and memory load. All experiment have been done in a real environment to ensure that the results are the more realistic possible. The selected IPS to carry out the evaluation of the methodology is the most popular and open-source Snort, which has been set-up in a Linux machine. The results shows that system is effective to handle a DDoS attack but when the rate of 6 000 pps of malicious traffic is reach Snort start to dropped malicious and legitimate packets without any differences. It also shows that the IPS could only handle traffic lower than 1Mbps. The conclusion shows that the produces methodology permits to evaluate the mitigation capability of an IPS. The limitations of the methodology are also explained. One of the key limitations is the impossibility to aggregate the background traffic with the attacking traffic. Furthermore, the thesis shows interesting future work that could be done as the automation of the evaluation procedure to simply the evaluation of IPSs.
Name: Vergin, Adrian New versions of Windows come equipped with mechanisms, such as EFS and BitLocker, which are capable of encrypting data to an industrial standard on a Personal Computer. This creates problems if the computer in question contains electronic evidence. BitLocker, for instance, provides a secure way for an individual to hide the contents of their entire disk, but as with most technologies, there are bound to be weaknesses and threats to the security of the encrypted data. It is conceivable that this technology, while appearing robust and secure, may contain flaws, which would jeopardize the integrity of the whole system. As more people encrypt their hard drives, it will become harder and harder for forensic investigators to recover data from Personal Computers. By analyzing Windows encryption, the author intends to produce automated tools to aid investigators in gaining access to this data, as well as contribute to the progression of Windows encryption standards. Over the course of this document, the author outlines both encryption systems and points out potential vulnerabilities in them. While presenting his findings, the author also provides tips and suggestions on how to use EFS and BitLocker in order to optimize their efficiency and make the best use of their strengths. This project also delivers software solutions designed to help compromise the integrity of these systems. The ultimate finding of this project is that in order to keep data at rest optimally secure, both EFS and BitLocker should be used in tandem, or they should be used in conjunction with other encryption solutions. Neither of these solutions is completely impenetrable on it's own, but when combined with other forms of encryption, they provide a layer of defense that's sufficiently hard to crack.
Name: Owen Lo There are a multitude of threats now faced in computer networks such as viruses, worms, trojans, attempted user privilege gain, data stealing and denial of service. As a first line of defence, firewalls can be used to prevent threats from breaching a network. Although effective, threats can inevitably find loopholes to overcome a firewall. As a second line of defence, security systems, such as malicious software scanners may be put in place to detect a threat inside the network. However, such security systems cannot necessary detect all known threats, therefore a last line of defence comes in the form of logging a threat using Intrusion Detection Systems (Buchanan, 2009, p. 43). Being the last line of defence, it is vital that IDSs are up to an efficient standard in detecting threats. Researchers have proposed methodologies for the evaluation of IDSs but, currently, no widely agreed upon standard exists (Mell, Hu, Lippmann, Haines, & Zissman, 2003, p. 1). Many different categories of IDSs are available, including host-based IDS (HIDS), network-based IDS (NIDS) and distributed-based IDS (DIDS). Attempting to evaluate these different categories of IDSs using a standard accepted methodology allows for accurate benchmarking of results. This thesis reviews four existing methodologies and concludes that the most important aspects in an effective evaluation of IDSs must include realistic attack and background traffic, ease of automation and meaningful metrics of evaluation. A prototype framework is proposed which is capable of generating realistic attacks including surveillance/probing, user privilege gain, malicious software and denial of service. The framework also has the capability of background traffic generation using static network data sets. The detection metrics of efficiency, effectiveness and packet loss are defined along with resource utilisation metrics in the form of CPU utilisation and memory usage. A GUI developed in Microsoft .NET C# achieves automation of sending attack and background traffic, along with the generation of detection metrics from the data logged by the IDS under evaluation. Using a virtual networking environment, the framework is evaluated against the NIDS Snort to show the capabilities of the implementation. Mono was used to run the .NET application in a Linux environment. The results showed that, whilst the NIDS is highly effective in the detection of attacks (true-positives), its main weakness is the dropping of network packets at higher CPU utilisations due to high traffic volume. At around 80Mbps playback volumes of background traffic and above, it was found that Snort would begin to drop packets. Furthermore, it was also found that the NIDS is not very efficient as it tends to raise a lot of alerts even when there are no attacks (false-positives). The conclusion drawn in this thesis is that the framework is capable of carrying out an evaluation of an NIDS. However, several limitations to the current framework are also identified. One of the key limitations is that there is a need for controlled aggregation of network traffic in this framework so that attack and background traffic can be more realistically mixed together. Furthermore, the thesis shows that more research is required in the area of background traffic generation. Although the framework is capable of generating traffic using state data sets, a more ideal solution would be an implementation in which allows the user to select certain “profiles” of network traffic. This would serve the purpose of better reflecting the network environment in which the IDS will be deployed on.
Name: Richard Macfarlane Security policies are increasingly being implemented by organisations. Policies are mapped to device configurations to enforce the policies. This is typically performed manually by network administrators. The development and management of these enforcement policies is a difficult and error prone task. This thesis describes the development and evaluation of an off-line firewall policy
parser and validation tool. This provides the system administrator with a textual
interface and the vendor specific low level languages they trust and are familiar with,
but the support of an off-line compiler tool. The tool was created using the Microsoft
C#.NET language, and the Microsoft Visual Studio Integrated Development
Environment (IDE). This provided an object environment to create a flexible and extensible
system, as well as simple Web and Windows prototyping facilities to create
GUI front-end applications for testing and evaluation. A CLI was provided with the
tool, for more experienced users, but it was also designed to be easily integrated into The validation tool was created, based around a pragmatic outlook, with regard to the needs of the network administrator. The modularity of the design was important, due to the fast changing nature of the network device languages being processed. An object oriented approach was taken, for maximum changeability and extensibility, and a flexible tool was developed, due to the possible needs of different types users. System administrators desire, low level, CLI-based tools that they can trust, and use easily from scripting languages. Inexperienced users may prefer a more abstract, high level, GUI or Wizard that has an easier to learn process. Built around these ideas, the tool was implemented, and proved to be a usable, and complimentary addition to the many network policy-based systems currently available. The tool has a flexible design and contains comprehensive functionality. As opposed to some of the other tools which perform across multiple vendor languages, but do not implement a deep range of options for any of the languages. It compliments existing systems, such as policy compliance tools, and abstract policy analysis systems. Its validation algorithms were evaluated for both completeness, and performance. The tool was found to correctly process large firewall policies in just a few seconds. A framework for a policy-based management system, with which the tool would integrate, is also proposed. This is based around a vendor independent XML-based repository of device configurations, which could be used to bring together existing policy management and analysis systems.
Name: Colin Symon In a digital forensics investigation, log files can be used as a form of evidence by reconstructing timelines of the computer system events recorded in log files. Log files can come from a variety of sources, each of which may make use of proprietary log file formats (Pasquinucci, 2007). In addition, the large volume of information to be filtered through can make the job of forensic examination a difficult and time consuming task. The aim of this thesis is to explore methods of logging and displaying event information which is gathered from computer systems, specifically in relation to the collection, correlation and presentation of log information. By means of a literature review, it has been found that by correlating and storing log information in a central log database it should be possible to construct a system which can access this information and present it in the form of a timeline to the investigator. The important contribution that visualisation techniques can bring to log analysis applications has been made by Marty (2008, p.5) by stating that “a picture is worth a thousand log records”. A prototype system has been produced which makes use of the latest technologies to enhance current methods of displaying log data, such as those employed by the Microsoft Windows Event Viewer. The prototype system, developed using a rapid prototyping methodology, separates the log management process into collection, correlation and storage, and presentation. Through use of a standard XML log format and central storage of log information in a Microsoft SQL Server 2008 database, the prototype aims to overcome the issue of proprietary log formats and the difficulty in correlating data obtained from different sources. A log and timeline viewer application has been developed using C#, Windows Presentation Foundation and .NET Framework technologies, enabling the digital forensics investigator to filter event records and visualise timelines of events by means of bar, line and scatter charts. Through the means of user evaluation it has been found that the prototype system improves upon the Microsoft Windows Event Viewer from overview and filtering perspectives. By means of technical experimentation, it has been found that there are scalability issues with the way in which the prototype system imports log information contained within XML files, into the database component. The time taken to import log records, of various sizes, into the database was measured. It was found that for files larger than 2MB, the time taken was longer than two users, of the seven who gave feedback on of the system, would be prepared to wait. Further development into the visualisation of timelines has been suggested as the prototype system is somewhat limited in its ability to provide details of the links between digital
Name: Stuart Gilbertson IT Administrators are constantly faced with threats as a result of the Internet
(West, M. 2008). There is a huge range of solutions on the market today to assist
and defend against such threats, but they are either costly or complicated to set
up and configure properly. The assaults circulating on the Internet at this very Distributed Denial of Service attacks are getting more and more advanced as a
result of sophisticated malware being released into the wild. As a result, new
methods of mitigating these attacks need to be designed and developed. This
thesis aimed to read similar related work done and gain an in-depth examination
of DDoS taxonomy, bot nets, malware and mitigation methods. The thesis also The main aim of this thesis was to analyse current Distributed Denial of Service botnets, malware and taxonomies to determine the best prototype to design and develop that could detect and mitigate an attack on a server. A human verification prototype was developed and implemented that would require user input to validate the visitor to a site was a real person. This system would only trigger if the visitor sent too many requests for the site per minute. If the visitor failed to validate, the system firewalls their IP address. Where is he now: Stuart owns Consider IT providing IT support to businesses in the Edinburgh and surrounding areas. k
Name: Ashlef Wagstaff With increasing numbers of broadband connections (Office for National Statistics, 2008) and consumers conducting ever more complex transactions on those connections (Nicholas, Kershaw, & Walker, 2006 /2007), it is imperative that users and services have accountability through proof of identity (Summers, 1997). Yet some proponents argue that given the openness of the internet it may be almost impossible to absolutely prove the identity of a remote person or service (Price, 2006). Kim Cameron in his argument for Federated Identity states that “A system that does not put users in control will – immediately or over time – be rejected.” (2005) which is also a view echoed by Dean (Identity Management – back to the user, 2006). The aim of the thesis is to argue for a self-authentication factor that is integrated into a Federated Identity infrastructure using an out-of-band loop to a mobile device; this argument is then supported with an implemented proof-of-concept prototype. The prototype and its concept are evaluated in a small usability study and an encryption performance experiment on a mobile device. The results of the usability study show that users feel more comfortable with self-authentication using something physical that they hold and respond to than with a third party verifying information on their behalf. The results also show the encryption needed for end-to-end confidentiality and integrity during the out-of-band communication will affect battery life to a degree. The thesis concludes that there is a sound base for self-authentication from a user perspective and that further user and infrastructure studies will need to be conducted on self-authentication before it is realised in the marketplace. It also found that implementing the prototype was more straightforward for the .Net Compact Framework on the Windows Mobile device than it was using the JavaMe platform.
Name: James Robb The use of intranets has grown exponentially since the mid 1990‟s with the scope and range of applications increasing every year. In 1998 U.S. organisations were reported to spend over $10.9 billion, or a quarter of their web related project spending on intranet projects (Lamb, 2000). By 2001 it was reported that nearly 90% of large organisation had some form of intranet. Nearly a quarter of these organisations intranets had capabilities well beyond the simple publication of news and memos (Stellin, 2001). At present, intranet technologies have been considerably developed since their introduction as static web pages for corporate announcements and notifications. Today, intranets are used as a central hub for global communication and collaboration, as well as a portal for back-end applications and legacy systems. Microsoft Office SharePoint Server (MOSS) is a one stop solution for collaboration, content management, business process, business intelligence, enterprise search implementation and portal development. MOSS is built upon the Windows SharePoint Services (WSS) and .NET platforms and provides increased functionality and capabilities. By investigating and utilising the components of MOSS this dissertation aims to produce a corporate intranet prototype. The prototype intends to provide a secure platform for collaboration, increased productivity, and reducing administration overheads. This report examines existing intranet solutions and the evolutionary process they have undergone. The design of the intranet prototype was based upon the existing intranet solutions using the components offered by MOSS. The ability for teams to collaborate was of the upmost importance and the prototype incorporates a number of MOSS features to achieve this. In an attempt to improve productivity the intranet combines multiple content repositories into a single interface. This simplifies the search process drastically allowing users to find relevant content from multiple sources with one click. It is estimated that 18% of corporate material becomes out of date after only 30 days of being produced (McGrath & Schneider, 1997). To remedy this, MOSS allows the implementation of business processes as electronic workflows which can simplify these processes and integrate with the existing intranet framework. To encourage the sharing of information and resources between employees, personal areas for each user were also implemented. The dissertation finds that whilst the implementation was deemed to be a success through user testing, further research would be required to find more suitable security controls. Furthermore, as little hard coding is required for users to implement web pages, non-technical users could be given control to create their own sites. Allowing the governance of control to be spread allows teams to create sites further adapted to their needs, it also poses significant problems. Non-technical users will invariably have little concept of the security risks posed and may in-fact be compromising the data they are using. Overall, although the prototype created contains a number of flaws. The capabilities of MOSS as an intranet platform have been fully investigated and the implementation shows its potential.
Name: Julien Corsini Nowadays, the majority of corporations mainly use signature-based intrusion detection. This trend is partly due to the fact that signature detection is a well-known technology, as opposed to anomaly detection which is one of the hot topics in network security research. A second reason for this fact may be that anomaly detectors are known to generate many alerts, the majority of which being false alarms. Corporations need concrete comparisons between different tools in order to choose which is best suited for their needs. This thesis aims at comparing an anomaly detector with a signature detector in order to establish which is best suited to detect a data theft threat. The second aim of this thesis is to establish the influence of the training period length of an anomaly Intrusion Detection System (IDS) on its detection rate. This thesis presents a Network-based Intrusion Detection System (NIDS) evaluation testbed setup. It shows the setup of two IDSes, the signature detector Snort and the anomaly detector Statistical Packet Anomaly Detection Engine (SPADE). The evaluation testbed also includes the setup of a data theft scenario (reconnaissance, brute force attack on server and data theft). The results from the experiments carried out in this thesis proved inconclusive, mainly due to the fact that the anomaly detector SPADE requires a configuration adapted to the network monitored. Despite the fact that the experimental results proved inconclusive, this thesis could act as documentation for setting up a NIDS evaluation testbed. It could also be considered as documentation for the anomaly detector SPADE. This statement is made from the observation that there is no centralised documentation about SPADE, and not a single research paper documents the setup of an evaluation testbed.
Name: Antonio J. Fernandez Sepulveda The Internet was initially created for academic purposes, and due to its success, it has been extended to commercial environments such as e-commerce, banking, and email. As a result, Internet crime has also increased. This can take many forms, such as: personal data theft; impersonation of identity; and network intrusions. Systems of authentication such as username and password are often insecure and difficult to handle when the user has access to a multitude of services, as they have to remember many different authentications. Also, other more secure systems, such as security certificates and biometrics can be difficult to use for many users. This is further compounded by the fact that the user does not often have control over their personal information, as these are stored on external systems (such as on a service provider's site). The aim of this thesis is to present a review and a prototype of Federated Identity Management system, which puts the control of the user's identity information to the user. In this system the user has the control over their identity information and can decide if they want to provide specific information to external systems. As well, the user can manage their identity information easily with Information Cards. These Information Cards contain a number of claims that represent the user's personal information, and the user can use these for a number of different services. As well, the Federated Identity Management system, it introduces the concept of the Identity Provider, which can handle the user's identity information and which issues a token to the service provider. As well, the Identity Provider verifies that the user's credentials are valid. The prototype has been developed using a number of different technologies such as .NET Framework 3.0, CardSpace, C#, ASP.NET, and so on. In order to obtain a clear result from this model of authentication, the work has created a website prototype that provides user authentication by means of Information Cards, and another, for evaluation purposes, using a username and password. This evaluation includes a timing test (which checks the time for the authentication process), a functionality test, and also quantitative and qualitative evaluation. For this, there are 13 different users and the results obtained show that the use of Information Cards seems to improve the user experience in the authentication process, and increase the security level against the use of username and password authentication. This thesis concludes that the Federated Identity Management model provides a strong solution to the problem of user authentication, and could protect the privacy rights of the user and returns the control of the user's identity information to the user.
Name: David Mcluskie Teaching and assessing students in the practical side of networking can be achieved through the use of simulators. However the network simulators are limited in what can they can do since the device being simulated is not fully functional and the generation of the exercises always result in the same specification being presented to the student[1, 2]. When the student has finished the exercise they are just presented with a pass or fail mark with no indication of areas of weakness or strength. The thesis investigates how the Bloom[3] and SOLO[4] learning taxonomies can be used to specify and mark network challenges while using the idea of fading worked examples[5] to design the challenges to lower the cognitive load on the student. This thesis then proposes a framework that can be used to generate network challenges specifications that changes every time the student attempts it. The challenge can then be solved using an emulation package called Dynamips while a bolt-on package called GNS3 is used to provide the graphical user interface. Once the student has finished the challenge it will then be graded and feedback presented indicating what was correct and incorrect. The evaluation of the framework was carried out in two phases. In the first phase the performance of the framework was monitored using a windows utility called performance monitor. The performance was measured on Windows XP, Windows Vista and XP running in an emulator. In each instance the performance was deemed to be satisfactory for running on each operating system. The second phase of the evaluation was carried out by asking students to evaluate the proposed framework. Once the students had finished the evaluation they were then asked to fill in a questionnaire about their experience. From the results of the questionnaire two of the most positive aspects of using the framework was that a fully feature IOS command line interface was available for the students to use and also once they had a mastered a skill they did not have to start from scratch in subsequent exercises reusing skills that had already mastered. However one of the negative aspects noticed from the questionnaire was the number of complex steps that was required to be followed to setup the challenge. The final implementation of the framework proved the concept of the design, even though all the proposed elements were not implemented. A program was written that generated a challenge with dynamic variables that changed every time it was attempted, Dynamips was used to provide to the student a fully working command line IOS interface and GNS3 was used to provide a graphical user interface. Finally the student was presented with feedback when they had completed the challenge.
The windows event log is used in digital forensic cases, but unfortunately it is flawed
in many ways, and often cannot be seen as a verifiable method of determining events.
In the past few years there have been a few highly publicised cases where the data that
is contained within the event log is used to successfully secure a conviction. The aim
of this dissertation is to develop a solution that addresses the flaws in the Windows
event logging service. Through research carried out it had been found that it was
possible to disable the event log service. This then allowed for important data to be
modified, such as usernames, computer names, times and dates. It was also noted that
an event log from one machine could successfully be transplanted into another
without any problems. All of these vulnerabilities involved having access to, and Based upon the research done, an event logging application was developed using C# and the Microsoft .NET framework. It makes use of RSA and AES encryption and HMAC hash signatures to improve the integrity of the data. The application is divided up into three components, an event logger which monitors specific files and folders within a computer system and sends alerts to the data archiving system in an XML format, and an event viewer that presents the events in a readable format to the user. The performances of the symmetric and asymmetric encryption were tested against
each other. It had been found that the symmetric encryption was 800% faster than
asymmetric encryption. Also the HMAC hash signatures were tested to see how long
it would take to do a brute force attack on them. It was discovered that approximately
21,093 keys were processed every second, this was then compared to the key entropy
The purpose of this thesis is to capture the data flowing in a network, and to analyze it to find malicious packets carrying SQL injection attacks. It aims to detect these attacks as the attacker can compromise a server simply using the web browser and for it can cause severe damage such as losing data from a database or even changing the values. The literature review section shows that previous methods of detection have used anomaly detection, where as this thesis uses a novel metric-based system, which measures the threat level of a URL. In creating a prototype of the system, an application was created to detect malicious packets using the C# language with Microsoft Visual Studio 2005. WinPcap is used for capturing the network packets that are flowing through the network interface in promiscuous mode. This application was developed based on the idea of capturing the packets and comparing them for the malicious keywords that are used for SQL injection attacks. The keywords, such as SELECT, DELETE, OR, and FROM are assigned with a malicious metric value, along with possible threats in the URL from certain characters, such as „=‟ and a single quote character. When the resulting summation value reaches more than a given threshold, the application alerts the user that it found an injection attack. The thesis presents different weights for these threat elements, and produces an overall threat level. Several tests have been conducted for analyzing the threshold value. These have been are conducted using over 1,000 URL strings that have been captured from normal traffic, and some have been injected with malicious keywords. It has been found that the application successful captures all the malicious strings, but it also resulted in false positives for strings that are not malicious. For a run of 1,000 URLs, it detected 10 true-positives, and 30 false-positives. It concludes with a critique of the application is made, along with suggesting the future improvements that can make the application to improve performance. For future work, the thesis presents methods that could improve the metric system.
The aim of this project is to provide a patient-centric prototype distributed system that can demonstrate approaches to reducing complexity through data and interface integration; increasing visibility through relevant role based information targeting; and reducing administrative overhead through electronic workflow. This report examines the history of IT strategies in the NHS, identifying some of the key aims from 1992 to 2008. It then discusses some of the standards defined to allow differing systems to communicate and highlights some of the existing IT systems in healthcare today. The system design allows patients to interact with the in same way as healthcare professional, it provides access to personal space that displays tasks for the patient or healthcare professional to complete. Data integration is used to build a patient record from local and disparate data sources. Information targeting allows the patient or healthcare professional to visit an area that only displays information relevant to the person there. Finite State Machine methodologies are used to design an electronic workflow, which maps a business process of making a referral. Using the Microsoft Office SharePoint Server information management framework, data integration is achieved through XML definition and the gathering of meta-data (Hoffman and Foster, 2007) . Information targeting is achieved through personalised filtering and security permission modelling (Holiday et al. , 2007) ; workflow is accomplished through the application of design; manipulation of the framework and dedicated workflow (Mann, 2007) code libraries built on top of popular ASP.NET web server technology (Walther, 2006). This project finds that whilst it is possible to implement these approaches in theoretical context, more research is required into the application of such approaches in real world scenarios. In addition this report finds that software boundaries within the framework suggest the capacity for vast record user, security and management (Curry et al. , 2008) , however, research into the factors that affect these boundaries, such as concurrency and healthcare professional/patient activity on such systems, is required in order extrapolate accurate scalability requirements.
The aim of this project is to identify and analyse different queuing mechanism and mark the traffic flows in real-time VoIP network. A prototype design is created to know the effect of each queuing technique on voice traffic. Voice traffic is marked using DSCP especially Expedited Forwarding (EF) PHB. Using Network monitoring tool (VQ manager) the voice traffic stream is monitored and QoS parameters are measured. QoS parameters are delay, jitter and packet loss. By analysing these QoS parameters, efficiency of each queuing technique is identified. Experiments are performed on data and voice converged IP network. Voice is being sensitive to jitter, delay and packet loss, the voice packets are marked and queued to analyse four different queuing mechanisms such as Priority Queue (PQ), Weighted Fair Queue (WFQ), Class-Based Weighted Fair Queue (CBWFQ) and Low Latency Queue (LLQ). Each queuing mechanism has their own feature, in PQ higher priority queue has strict priority over lower ones [21]. WFQ provides fair queuing, which divides the available bandwidth across queues of traffic flow based on weights [23].CBWFQ is an extended from of WFQ, which guarantees minimum bandwidth based on user-defined traffic classes [19]. LLQ is the combination of PQ and CBWFQ. The outcome of this project is to understand the effect of queuing mechanisms and classifying of traffic. Results obtained from experiment can be used in determining the efficient queuing technique.
The result has been analyzed and collected using the performance counter variables of an operating system and used Microsoft .NET class libraries which help in collecting system’s level performance information as well. This can be beneficial to developers, stakeholders and management to decide the right technology to be used in conjunction with a database. The results and experiments conducted in this project results in the substantial gain in the performance, scalability and availability of component based application using the Microsoft COM+ features like object pooling, application pooling, role- based, transactions isolation and constructor enabled. The outcome of this project is that Microsoft COM+ component based application provides optimized database performance results using the SQL Server. There is a performance gain of at least 10% in the COM+ based application as compared to the Non COM+ based application. COM+ services features come at the performance penalty. It has been noticed that there is a performance difference between the COM+ based application and the application based on role based security, constructor enable and transaction isolation of around 15%, 20% and 35% respectively. The COM+ based application provides performance gain of around 15% and 45% on the low and medium volume of data on a .NET Framework 2.0 in comparison to 3.0. There is a significant gain in the COM+ Server based application on .NET Framework 3.0 of around 10% using high volume of data. This depicts that high volume of data application works better with Framework 3.0 as compared to 2.0 on SQL Server. The application performance type results represents that COM+
component based application provides better performance results
over Non-COM+ and .NET based application. The difference between
the performance of COM+ application based on low and medium volume
of data was around 20% and 30%. .NET based application performs
better on the high volume of data results in performance gain
of around 10%.
Name: Bryan Campbell This thesis puts forth a framework to largely automate the process of documenting network topologies. The framework is based on issues raised in recent research concerning the needs of IT administrators, and network discovery methods. An application is also described serving as a proof-of-concept for the central elements of the framework. This application was realized in the Microsoft Visual C# 2005 Express Edition programming environment using the C#.NET language. The compiled result is supported by the .NET Framework 2.0 runtime environment. The application provides for an administrator to control, through a graphical interface, the sequence of discovering a network and outputting visual documentation. For testing, Cisco Systems routers and switches, along with a Microsoft Windows-based laptop, were used to construct a mock network. Measurements of the performance of the application were recorded against the mock network in order to compare it to other methods of network discovery. Central to the application's implementation is a recognition that networks are more likely than not to be heterogeneous. That is, they will be comprised of equipment from more than a one vendor. This assumption focused the choices about the framework design and concept implementation toward open standard technologies. Namely, SNMP was selected for discovery and data gathering. XML is utilized for data storage. Data processing and document production is handled by XSL. Built around these technologies, the application successfully executed its design. It was able to query network devices and receive information from them about their configuration. It next stored that information in an XML document. Lastly, with no change to the source data, HTML and PDF documents were produced demonstrating details of the network. The work of this thesis finds that the open standard tools employed are both appropriate for, and capable of, automatically producing network documentation. Compared to some alternate tools, they are shown to be more capable in terms of speed, and more appropriate for learning about multiple layers of a network. The solution is also judged to be widely applicable to networks, and highly adaptable in the face of changing network environments. The choices of tools for the implementation were all largely foreign to the author. Apart from the prima face achievements, programming skills were significantly stretched, understanding of SNMP architecture was improved, and the basics of these XML languages was gained: XSLT, XPath, and XSL-FO.
Name: Ewan Gunn The current work in the field of anti-virus protection focuses on detecting and removing any malicious software or spyware from a computer. This is proving effective, however it is merely a way of treating the symptoms instead of the illness. This project presents a hypothesis based on these situations, and attempts to prove the effectiveness of a protocol developed specifically to provide preventative measures to stop the spread of malicious software, based on authentication and subsequent authorisation. Tools such as encryption, hashing, and digital certificates were investigated and marked for use in providing the protocol to prove the hypothesis, and a further investigation took place of the common principles in security in the computing paradigm such as the CIA and AAA sets of principles, which provided a specific context within which a protocol could be constructed. A discussion was made of the only protocol that was close to a solution to the hypothesis, Kerberos, along with any usefulness that that protocol might have in the situations the hypothesis is based in. This was followed by a design of a new protocol, consisting of a methodology of protocol design used heavily in industry – that of communication analysis and finite state machines. A further proof-of-concept program was designed as well, to provide a facility to test the effectiveness and efficiency of the protocol. In all design considerations, the evaluation of such a system was a priority, and steps were taken at the design stage to provide an easy method to collect data results. The system was implemented in a proof-of-concept program using an open-source alternative to the .NET framework developed by Microsoft, called mono. This development environment is cross platform and fully compliant with all versions of .NET provided by Microsoft, thereby providing a cross-platform solution to the problem described above. Specific concerns faced in implementation of such a protocol were raised, and measures taken to overcome these concerns presented, along with decisions made on options available in the implementation. An analysis was made of the efficiency of the resulting system, by taking measurements of the time taken between request conception and the subsequent request completion. Baseline measures were made on this using a simple client/server program developed during mplementation that had the option of using the system or not, with the option not to use the system. These were compared to measurements made of the same system, however with the option to use the authorisation service enabled. A conclusion and discussion of the surprising results followed. Lastly a critque of the project is made, along with a discussion of a theoretical situation where this system might prove beneficial; a general discussion on the benefits of promoting preventative measures for malicious software spread and any further work that could be carried out specifically on the id.
Name: Vinoth Kumar Healthcare is one of the industries, where object and location
aware applications are most wanted, particularly in enhancing
patient safety and reducing medical errors by patient identification
(Murphy & Kay, 2004). Unfortunately, healthcare environment
is challenging, where radio interferences are restricted and IT
literacy of the staffs are limited. It gets further challenging
in convincing patients of their privacy and ethical The aim of this project is to review methods involved in object
identification and tracking in wireless sensor networks and to
design and implement a prototype of wireless enabled framework
for object identification and tracking. It is to mainly address
the needs of healthcare and other similar environments. This project
is perused in collaboration with National Health Service (NHS)
- University Hospital Birmingham (UHB), Napier University, ConnectRFID
and other industry partners. Based on onsite observation of IT
infrastructure, and patient identification problems in hospital
environment at UHB/NHS, a framework for object identification
and location tracking is designed, implemented and benchmarked.
It is developed using state-of-the-art tools and technologies
in Visual Studio .NET, C#, MS SQL Server and ZPL for a variety
of suitable equipments chosen to achieve the needs of this system.
To evaluate, the framework is benchmarked for the limitations
and performance using extensive logging of all activities and
round trip times within parts of the framework. The main outcome of this project is a state-of-the-art framework that suits the needs of object identification and tracking within healthcare environment. With minor changes the framework can be implemented in wide range object and location aware application and solutions. Two novel achievement of this work is, the framework is applied for patent protection (Patents, 2006) by NHS MidTECH on behalf UHB NHS and Napier University and contributed to writing and acceptance of a paper in International Journal of Healthcare Technology and Management (Thuemmler et al., 2007). Vinoth now has a job as a Design Analyst in RFID/.NET ... so a great result!
Name: Zhu Chen The implemented facilities of the ANSE framework system are provided
through a Webbased interface, which simplifies the setup and allows
easy access for the academics. In addition, the application provides
an online learning environment with a simple and standard-compliance
Web interface accessible from Internet for students use. To achieve
this, the application’s front-end interfaces were developed
as Website and the back-end facilities were implemented using
Microsoft .Net technology and SQL server database. From the evaluation results analysis of this project, despite the functional weaknesses, the implemented ANSE framework system can be considered as advancement over other commercial router simulator tools in tackling the problems related to the traditional exam/coursework extensive assessment in academic environment. Due to the advantages brought by the Web-based interface, network skills evaluation and student management abilities.
Name: Lee Jackson To test this theory we began by looking into human memory patterns and found that images, faces and text mixed with images all seemed to offer good results concerning human recollection. Further research was undertaken into other possible authentication methods of the future such as biometrics and token-based, as well as looking into previous incarnations of image or graphical password systems. Using the theory research and the findings diagnosed from previous incarnations of the image-based approach, we designed a prototype that could be used to evaluate the possibility of image-based authentication being the main security method of the future. We began by implementing class diagrams to show how the interfaces would connect. The interface layouts were then designed with the emphasis on novel solutions to usability. Five experiments were also designed to test usability, recall, security, methodologies undertaken, how security conscious users were and whether humans were able to remember passwords on multiple image-based interfaces. The application design was then implemented into an image-based authentication system containing three interfaces. The interfaces include a picture-based, facial picture-based and a story-based, which mixes text with images. This application was achieved using Visual Studio .NET, with C# as the programming language of choice. The completed Image-Based Password System prototype was then evaluated using the experiments that had been designed. The results of the experiments showed that recall levels over the three interfaces was just slightly under 90%. The best performers were the Story-Based and Picture-Based interfaces. The results also showed that users were generally quite able to use an image-based system with little difficulty. The main finding of the experiments showed that users were quite able to remember passwords contained on different image-based interfaces. If image-based authentication was to become the security method of the future, it is extremely likely that the interfaces on individual security systems would be different. The experiments showed that the human brain was able to hold passwords on three completely different interfaces successfully.
Name: Christopher Geeringh Many types of systems have different syntax for defining firewall rules, such as Cisco devices which use ACLs and Linux firewalls which use net filters (iptables). The aim of this project is to define a generic firewall syntax, such as the one used in Al-Shaer (2004), and develop and evaluate a compiler which converts the generic format into the platform specific syntax. A basic outline of this has been created by Saliou (2006), and the project will enhance this into form which can be used in a security framework.
The objectives were: Develop a Firewall Rule Compiler and Modeller.
References 1. Al-Shaer et al (2004), Modelling and Management of Firewall Policies. 2. E. Al-Shaer and H. Hamed. “Firewall Policy Advisor for Anomaly Detection and Rule Editing.”
Name: Zbigniew Kwecka Techniques of information hiding in covert channels have been known some time now. By definition it involves hiding information in the medium, which is not usually used for any form of information transfer. For an instance the purpose of the envelope in the standard mail communication is to enclose the message and provide space for addressing. However, even if the messages were under strict surveillance, information hidden under the stamp on the envelope could go unnoticed to the examiner. This is how covert channels operate. They use resources often perceived as safe, and unable to carry data, to hide covert payload. This dissertation investigated Internet protocol stack and identified
Application Layer as the level most vulnerable to covert channel
operations. Out of the commonly used protocols, SMTP, DNS and
HTTP have been recognized as those, which may carry hidden payload
in and out secure perimeters. Thus, HTTP, the protocol which is
often wrongly perceived as text based information transfer protocol,
due to its innocently sounding name was further investigated.
Since there is no tool available on the market for HTTP monitoring,
a set of test tools have been developed in this project using
C# programming language, which is starting to become a new networking
industry standard for application deployment. The analysis of
the current trends in covert channel detection and the statistic
collected on the current implementations of the protocol lead
to design and implementation of suitable HTTP covert channel detection
system. The system is capable of detecting most of the covert
channel implementations, which do not mimic the operation of HTTP
browser driven by a user. However, the experiments also proved
that for a successful system to operate it
Name: Andrew Jameson The process used to achieve this assumes that the level of detail within the ROB carries less significance and can thus be reduced in quality. This is the same as implementing a quantisation table with greater values though one which operates only on a particular area of an image. This dissertation shows that this averaging process can be optimised by considering certain discrete values of pixels and that by a combination of these discrete values the ROB can be graded from the boundary of the image towards the boundary of the ROI. In this manner a standard JPEG image can be processed prior to compression in such a way that the detail within the ROI is preserved while the ROB shows progressively less detail towards the image boundaries. While this process aids the JPEG process it sits outwith the standardised JPEG compression process and thus does not require any additional software or hardware to display an image compressed using this method.
Name: Peter Jackson
Name: HUSSAIN ALI AL SEBEA The aim of this project is to produce a more flexible approach in which agent programs are dispatched to clients (which in turn run static agent programs), allowing them to communicate locally rather than over the network. Thus, this project uses mobile agents which are software agents which can be given an itinerary and migrate to different hosts, interrogating the static agents therein for any suspicious files. These mobile agents are deployed with a list of known mal-ware signatures and their corresponding cures, which are used as a reference to determine whether a reported suspect is indeed malicious. The overall system is responsible for Dynamic Detection and Immunisation of Mal-ware using Mobile Agents (DIMA) on peer to peer (P2P) systems. DIMA is be categorised under Intrusion Detection Systems (IDS) and deals with the specific branch of malicious software discovery and removal. DIMA was designed using Borland Delphi to implement the static agent due to its seamless integration with the Windows operating system, whereas the mobile agent was implemented in Java, running on the Grasshopper mobile agent environment, due to its compliance with several mobile agent development standards and in-depth documentation. In order to evaluate the characteristics of the DIMA system a number of experiments were carried out. This included measuring the total migration time and host hardware specification and its effect on trip timings. Also, as the mobile agent migrated, its size was measured between hops to see how this varied as more data was collected from hosts. The main results of this project show that the time the mobile agent took to visit all predetermined hosts increased linearly as the number of hosts grew (the average inter-hop interval was approximately 1 second). It was also noted that modifications to hardware specifications in a group of hosts had minimal effect on the total journey time for the mobile agent. Increasing a group of host’s processor speeds or RAM capacity made a subtle difference to round trip timings (less than 300 milliseconds faster than a slower group of hosts). Finally, it was proven that as the agent made more hops, it increased in size due to the accumulation of statistical data collected (57 bytes after the first hop, and then a constant increase of 4 bytes per hop thereafter). Others:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The
specification of Internet protocol stack was developed to be as
universal as possible, providing various optional features to
the network programmers. Consequently the existent implementations
of this specification use different methods to implement the same
functionality. This created situation where optional fields and
variables are often transmitted only to be ignored or discarded
at the receiving end. It is considered that transmission of these
fields significantly reduces the bandwidth available to data transfers,
however the redesign of the network protocols from various reasons
is considered impossible at the present time, and this downfall
of Internet protocol stack is silently accepted. Since the optional
fields discussed are of no real value anymore, they are often
left unmonitored. This in turn allows for implementation of covert
channels. 
Data
hiding methods can be used by intruders to communicate over
open data channels (Rowland 1996; deVivo, deVivo et al.
1999), and can be used to overcome firewalls, and most other
forms of network intrusion detection systems. In fact, most
detection systems can detect hidden data in the payload,
but struggle to cope with data hidden in the IP and TCP
packet headers, or in the session layer protocol. 
