|
|
Detection and mitigation of cyber attacks at local area networks
Racka, Jan ; Lieskovan, Tomáš (referee) ; Gerlich, Tomáš (advisor)
The bachelor thesis is focused on the detection and mitigation of flood attacks in local area networks. The thesis can be divided into two parts. In the theoretical part, first flooding attacks are described. Then, the problem of attack detection is discussed in depth, including the implemented detection methods. Subsequently, the classification of detection tools by location is discussed and examples of detection tools are given. The last theoretical section is devoted to network mapping methods and topology detection tools. In the practical part, the design of the IDS and the test network is discussed. The network consists of three end devices namely: the IDS, the victim and the attacker. A Mikrotik router is used to ensure connectivity between all the devices. The IDS has been implemented in Python and is composed of individual modules that extend its functionality. The most important module is the detection module, which contains detection methods against SYN Flood, UDP Flood, ICMP Flood attacks and one universal comprehensive method against all flood attacks. The ARP Scan module allowed the IDS to map the network and use ARP queries to detect the presence of endpoint devices in the network. The learning module made it easier to set up rules for each detection method by monitoring network traffic over a period of time. It then determines appropriate rule values from the detected data. The SSH module provided IDS with the ability to proactively respond to attacks and disconnect the attacker from the rest of the network. ARP Scans also use the SSH module to discover information about guests. The IDS has been tested in both virtual and real environments. The results show that the developed detection methods work and the IDS can stop the attack in a reasonable time. ARP Scanning was also tested and was able to detect new guests on average in the first pass. The effect of IDS on communication was also monitored and found to be minimal.
|
|
|
Energy protocol recognition using artificial intelligence
Racka, Jan ; Holasová, Eva (referee) ; Bohačík, Antonín (advisor)
The master's thesis focuses on classification of secure network traffic of energy protocols using convolutional neural network. The theoretical part discusses the issues of neural networks and their use in network traffic classification. In addition, the energy protocols Modbus, IEC 104, TASE.2, DNP3, GOOSE, SMV, MMS, and the standard DLMS/COSEM are analyzed, including their security. In the subsequent practical part, a convolutional neural network is implemented to recognize the mentioned protocols in their secured versions. Unsecured traffic records from publicly available repositories and from traffic simulators of the mentioned protocols, and captured data in an energy polygon were used to train the neural network. TLS and GOOSE convertotrs were developed to obtain secured traffic, which ensured that the protocols using same security mechanisms were secured uniformly. The resulting secured traffic was preprocessed into a two-dimensional format and was presented as input to the neural network for learning. The input image was created from the application parts of packets of the energy protocol session and formatted to the 28 × 28 byte image. The resulting network accuracy on the test data was 95,75 %. Furthermore, the network was tested on real traffic in an energy polygon, where it correctly recognized several protocols. A classifier for the operational state of a station that communicates using IEC 104 secured with TLS was developed as part of a partial objective of the thesis. The task of the classifier was to recognize, using encrypted messages, the state of the tested station. The classifier consisted of a convolutional neural network, which were usinga two-dimensional image consisting of information from a sequence of five consecutive packets as input. The information consisted of the interarrival time between packets, the length of the TLS encrypted application data, and the encrypted application data up to size 64 B. To obtain enough data to train the convolutional network, a simulator of characteristic messages for each state was developed. The classifier showed an accuracy of 43,05 % on the test data after the learning phase. Next, the classifier underwent testing on the test stations, where it was able to distinguish normal state of the state from events, but could not distinguish certain events of similar nature from each other.
|
|
|
Detection and mitigation of cyber attacks at local area networks
Racka, Jan ; Lieskovan, Tomáš (referee) ; Gerlich, Tomáš (advisor)
The bachelor thesis is focused on the detection and mitigation of flood attacks in local area networks. The thesis can be divided into two parts. In the theoretical part, first flooding attacks are described. Then, the problem of attack detection is discussed in depth, including the implemented detection methods. Subsequently, the classification of detection tools by location is discussed and examples of detection tools are given. The last theoretical section is devoted to network mapping methods and topology detection tools. In the practical part, the design of the IDS and the test network is discussed. The network consists of three end devices namely: the IDS, the victim and the attacker. A Mikrotik router is used to ensure connectivity between all the devices. The IDS has been implemented in Python and is composed of individual modules that extend its functionality. The most important module is the detection module, which contains detection methods against SYN Flood, UDP Flood, ICMP Flood attacks and one universal comprehensive method against all flood attacks. The ARP Scan module allowed the IDS to map the network and use ARP queries to detect the presence of endpoint devices in the network. The learning module made it easier to set up rules for each detection method by monitoring network traffic over a period of time. It then determines appropriate rule values from the detected data. The SSH module provided IDS with the ability to proactively respond to attacks and disconnect the attacker from the rest of the network. ARP Scans also use the SSH module to discover information about guests. The IDS has been tested in both virtual and real environments. The results show that the developed detection methods work and the IDS can stop the attack in a reasonable time. ARP Scanning was also tested and was able to detect new guests on average in the first pass. The effect of IDS on communication was also monitored and found to be minimal.
|
guest ::
