|
|
Detection of Network Anomalies Based on NetFlow Data
Czudek, Marek ; Bartoš, Václav (referee) ; Kořenek, Jan (advisor)
This thesis describes the use of NetFlow data in the systems for detection of disruptions or anomalies in computer network traffic. Various methods for network data collection are described, focusing especially on the NetFlow protocol. Further, various methods for anomaly detection in network traffic are discussed and evaluated, and their advantages as well as disadvantages are listed. Based on this analysis one method is chosen. Further, test data set is analyzed using the method. Algorithm for real-time network traffic anomaly detection is designed based on the analysis outcomes. This method was chosen mainly because it enables detection of anomalies even in an unlabelled network traffic. The last part of the thesis describes implementation of the algorithm, as well as experiments performed using the resulting application on real NetFlow data.
|
|
|
HTTP Application Performance Monitoring
Knapik, Martin ; Kováčik, Michal (referee) ; Bartoš, Václav (advisor)
Goal of this bachelor thesis was to create solution for monitoring and analysis of network performance of HTTP server using Nemea framework and NetFlow data. For this purpose, I've created Nemea module for filtering, parsing and saving NetFlow data enhanced by informations gained from HTTP plugin on exporter. For analysis and user interface, webpage based on Django framework was created, used for displaying statistics that are useful for users in order to reveal problems with monitored servers. Result of my work is product, which is demonstrating possibility of using of Nemea system for passive monitoring of HTTP servers.
|
|
|
Analysis of Security Incidents from Network Traffic
Serečun, Viliam ; Grégr, Matěj (referee) ; Ryšavý, Ondřej (advisor)
Analýza bezpečnostních incidentů se stala velmi důležitým a zajímavým oborem počítačové vědy. Monitorovací nástroje a techniky pomáhají při detekci a prevenci proti tímto škodlivým aktivitám. Tento dokument opisuje počítačové útoky a jejich klasifikaci. Také jsou tady opsaný některé monitorovací nástroje jako Intrusion Detection System nebo NetFlow protokol a jeho monitorovací software. Tento dokument také opisuje konfiguraci experimentální topologie a prezentuje několik experimentů škodlivých aktivit, které byly detailně kontrolovány těmito monitorovacími nástroji.
|
|
|
Automated Development of Network Attack Detectors
Huták, Lukáš ; Kováčik, Michal (referee) ; Žádník, Martin (advisor)
The thesis is focused on automated development of network attack detectors. It describes a design of patterns developed for normal and offensive behaviors based on monitoring network traffic of selected services. Patterns are represented by statistics with a focus on suitable metrics. Using machine learning algorithms attack detectors are created from behavioral patterns. Finally, a module was implemented for Nemea system in C/C++ programming language based on the proposal.
|
|
|
Optimization of NetFlow Data Search Using nfdump
Kubovič, Martin ; Žádník, Martin (referee) ; Bartoš, Václav (advisor)
This bachelor thesis deals with optimization of NetFlow data search using the nfdump tool. This thesis describes NetFlow protocol and tool nfdump and proposes the solution using data structure Bloom filter. The main goal was to optimize data storage and processing in order to be able to search the huge amounts of collected data and get results very quickly. The outcome of this thesis is the optimized tool that network administrators can use to search these data and significantly accelerate monitoring and analyzing network.
|
|
|
Analysis of Captured DNS Traffic
Hmeľár, Jozef ; Kekely, Lukáš (referee) ; Kováčik, Michal (advisor)
This thesis is focused on the analysis of captured DNS traffic. Introduction of this thesis is focused of basic desciption of computer networks , DNS and description of network flows. Then, the work focused on analysis Netflow format, IPFIX and PCAP, the analysis and implementation of tool for analyzing DNS traffic in C++ programming language. The conclusion is devoted to the results of the implemented tools.
|
|
|
Effective Network Anomaly Detection Using DNS Data
Fomiczew, Jiří ; Žádník, Martin (referee) ; Kováčik, Michal (advisor)
This thesis describes the design and implementation of system for effective detection of network anomaly using DNS data. Effective detection is accomplished by combination and cooperation of detectors and detection techniques. Flow data in NetFlow and IPFIX formats are used as input for detection. Also packets in pcap format can be used. Main focus is put on detection of DNS tunneling. Thesis also describes Domain Name System (DNS) and anomalies associated with DNS.
|
|
|
Detection of Dictionary Attacks on Network Services Using IP Flow Analysis
Činčala, Martin ; Grégr, Matěj (referee) ; Matoušek, Petr (advisor)
Existing research suggests that it is possible to detect dictionary attacks using IP flows. This type of detection was successfully implemented for SSH, LDAP and RDP protocols. To determine whether it is possible to use the same methods of detection for e-mail protocols virtual test environment was created. I deduced the characteristics of attacks in flows from the data, which I gained from this virtual environment. Than I chose the statistical value that separates the attacks from legitimate traffic. Variance of specific flow parameters was chosen as main characteristic of attacks. IP addresses with flows that have small variance of chosen parameters and high frequency of packet arrival are considered untrustworthy. Variance is calculated from IP history to rule out false positives. The IP history of legitimate user contains variation of flows which prevents marking this IP address as dangerous. On the basis of this principal the script, which detects the attacks from the nfdump output, was created. The success of detection of the attacks was tested on classificated data from the real environment. The results of tests showed, that with good configuration of marginal values the percentage of detected attacks is high and there are no false positives. Detection is not limited only on mail protocols. With regard to universal design, the script is able to detect dictionary attacks on SSH, LDAP, SIP, RDP, SQL, telnet and some other attacks.
|
|
|
Session Monitoring and Accounting in IMS Networks
Karpíšek, Filip ; Ryšavý, Ondřej (referee) ; Matoušek, Petr (advisor)
This thesis describes protocols used in IP Multimedia Subsystem (IMS) networks. Freely available implementations of IMS system are described. The main goal is to describe design and implementation of a tool for analyzing communication between users and IMS system. The tool seeks and decodes signaling messages. These messages are analyzed for information about sessions which are necessary for session monitoring and accounting. Final gathered information are exported in a form of extended NetFlow/IPFIX records. We used open-source Open IMS Core implementation for building IMS network and creating test data. As endpoints we used another open-source application for Android OS called IMSDroid.
|
|
|
Acquisition of communication statistical data from network infrastructure devices
Gargulák, Lukáš ; Nagy, Ľuboš (referee) ; Krkoš, Radko (advisor)
The diploma thesis describes theory that is needed for application development for acquisition of communication statistical data from network infrastructure devices. Aplication is called SDSKSI. The project compares protocols suitable for this purpose. Finally SNMP protocol was chosen because it is the most common in network devices. SNMP is described in detail. Each SNMP operation has its own practical demonstration. In the project there is also described MIB database and data types of MIB objects. Application is able to create network topology. Then administrator of network can imagine how the network looks like. For each device that support SNMP protocol are periodically collected and stored statistical data which can be exported to the file. For application development were chosen programming languages according to several criteria. Content of the laboratory exercise is presented. At the end of the project there are some system solutions for collecting statistical data. Diploma thesis contents two attachments. The first is containing the full text of laboratory task. The second is DVD disc. Disc is containing ready to boot aplication SDSKSI.
|
guest ::
