|
|
Portscan Detection in High-Speed Networks
Kapičák, Daniel ; Kekely, Lukáš (referee) ; Bartoš, Václav (advisor)
In this thesis, I present the method to efficiently detect TCP port scans in very high-speed links. The main idea of this method is to discard most of the handshake packets without loss in accuracy. With two Bloom filters that track active destinations and TCP handshakes, the algorithm can easily discard about 80\% of all handshake packets with negligible loss in accuracy. This significantly reduces both the memory requirements and CPU cost. Next, I present my own extension of this algorithm, which significantly reduces the number of false positives caused by the lack of communication from the server to the client. Finally, I evaluated this algorithm using packet traces and live traffic from CESNET . The result showed that this method requires less than 2 MB to accurately monitor very high-speed links, which perfectly fits in the cache memory of today's processors.
|
|
|
Aggregation of Security Incident Reports
Kapičák, Daniel ; Kováčik, Michal (referee) ; Bartoš, Václav (advisor)
In this thesis, I present analysis of security incident reports in IDEA format from Mentat and their aggregation and correlation methods design and implementation. In data analysis, I show huge security reports diversity. Next, I show design of simple framework and system of templates. This framework and system of templates simplify aggregation and correlation methods design and implementation. Finally, I evaluate designed methods using Mentat database dumps. The results showed that designed methods can reduce the number of security reports up to 90% without loss of any significant information.
|
|
|
Aggregation of Security Incident Reports
Kapičák, Daniel ; Kováčik, Michal (referee) ; Bartoš, Václav (advisor)
In this thesis, I present analysis of security incident reports in IDEA format from Mentat and their aggregation and correlation methods design and implementation. In data analysis, I show huge security reports diversity. Next, I show design of simple framework and system of templates. This framework and system of templates simplify aggregation and correlation methods design and implementation. Finally, I evaluate designed methods using Mentat database dumps. The results showed that designed methods can reduce the number of security reports up to 90% without loss of any significant information.
|
|
|
Portscan Detection in High-Speed Networks
Kapičák, Daniel ; Kekely, Lukáš (referee) ; Bartoš, Václav (advisor)
In this thesis, I present the method to efficiently detect TCP port scans in very high-speed links. The main idea of this method is to discard most of the handshake packets without loss in accuracy. With two Bloom filters that track active destinations and TCP handshakes, the algorithm can easily discard about 80\% of all handshake packets with negligible loss in accuracy. This significantly reduces both the memory requirements and CPU cost. Next, I present my own extension of this algorithm, which significantly reduces the number of false positives caused by the lack of communication from the server to the client. Finally, I evaluated this algorithm using packet traces and live traffic from CESNET . The result showed that this method requires less than 2 MB to accurately monitor very high-speed links, which perfectly fits in the cache memory of today's processors.
|
guest ::
