|
|
Automatizované zpracování provozních záznamů v systému BeeeOn
Beňo, Marek ; Krobot, Pavel (oponent) ; Vampola, Pavel (vedoucí práce)
Práca sa zaoberá spracovaním prevádzkových záznamov zo serverových aplikácií. Architektúra systému bola navrhnutá na základe štúdie dostupných technológií. Implementačná časť popisuje návrh jednotného formátu prevádzkových záznamov a implementáciu logovacej knižnice. Ďalej je popísaná inštalácia nástrojov, ich konfigurácia a nasadenie na server. Výsledkom je systém pre spracovanie prevádzkových záznamov navrhnutý s ohľadom na škálovateľnosť systému do budúcnosti. Systém bol otestovaný a nasadený v rámci fakultného projektu BeeeOn .
|
|
|
Detection of Cyber Attacks in Local Networks
Sasák, Libor ; Gerlich, Tomáš (oponent) ; Malina, Lukáš (vedoucí práce)
This bachelor thesis focuses on the detection of attacks in the local network and the use of open source tools for this purpose. The first chapter deals with cyber attacks and also describes some of them. The second chapter focuses primarily on intrusion detection systems in general and also mentions and describes some open source systems. The third chapter briefly deals with the general division of attack detection methods. The fourth chapter introduces and describes the selected tool Suricata, which is also tested in the fifth chapter in the detection of various attacks, during which the behaviour and output of this tool are tracked. In the sixth chapter, the ARPwatch tool is presented and tested for ARP spoofing attack detection. The seventh and eighth chapters deal with the design and successful implementation of an attack detection system that provides output in the form of logs indicating malicious or suspicious traffic on the network. The ninth chapter deals with the design and implementation of the application with a graphical user interface, which clearly presents the mentioned logs and also allows other operations, including the essential control of the detection tools.
|
|
|
Vývoj korelačních pravidel pro detekci kybernetických útoků
Dzadíková, Slavomíra ; Safonov, Yehor (oponent) ; Martinásek, Zdeněk (vedoucí práce)
Diplomová práca sa zaoberá problematikou efektívneho spracovávania logových záznamov a ich následnou analýzou pomocou korelačných pravidiel. Cieľom práce bolo implementovať spracovávanie logových záznamov do štruktúrovanej podoby, extrahovať jednotlivé polia záznamu pomocou modelu pre spracovanie prirodzeného jazyka riešením úlohy zodpovedania otázok, a vyvinúť korelačné pravidlá pre detekciu škodlivého správania. Počas riešenia zadania boli vyhotovené dve dátové sády, jedna so záznamami zo zariadení Windows, druhá obsahuje záznamy z firewallu Fortigate. Vytvorené modely na báze predtrénovaných modelov s architektúrou BERT a XLNet, ktoré boli doučené na riešenie problému parsovania logov pomocou vyhotovených datasetov a ich výsledky boli analyzované a porovnané. Druhá čásť diplomovej práce bola venovaná vývoju korelačných pravidiel, kde bol skúmaný koncept obecného zápisu Sigma. Bolo vytvorených a úspešne otestovaných šesť pravidiel, ktoré boli nasadené vo vlastnom experimentálnom pracovisku v systéme Elastic Stack, pričom každé pravidlo je popísané taktikami, technikami a subtechnikami frameworku MITRE ATT&CK.
|
|
|
Support for Dynamic Config Reload Inside Rsyslog
Lakatos, Attila ; Češka, Milan (oponent) ; Rogalewicz, Adam (vedoucí práce)
Logs are one of the most valuable assets when it comes to IT system management and mon- itoring. As they record every action that took place on a machine, logs provide the insight system administrators need to spot issues that might impact performance, compliance, and security. For this reason, the rsyslog software utility can be used as it offers the ability to accept inputs from a wide variety of sources, transform them, and output the results to diverse destinations by a set of rules. One shortcoming the software currently has is that it needs to be restarted in order to modify the rule set. The author of this master's thesis points out what types of problems a user might encounter during this period of time, such as messages entering the system are lost, TCP/UDP based connections are disturbed, even if no changes are made. The goal of this thesis is to design and implement an option, which allows users to dynamically reload configuration for core components without the need of a full restart. The improvements aim to address problems raised by the research, as well as increase performance by reusing already existing resources.
|
|
|
Enhancing Security Monitoring with AI-Enabled Log Collection and NLP Modules on a Unified Open Source Platform
Safonov, Yehor ; Zernovic, Michal
The number of computer attacks continues to increasedaily, posing significant challenges to modern securityadministrators to provide security in their organizations. Withthe rise of sophisticated cyber threats, it is becoming increasinglydifficult to detect and prevent attacks using traditional securitymeasures. As a result, security monitoring solutions such asSecurity Information and Event Management (SIEM) have becomea critical component of modern security infrastructures. However,these solutions still face limitations, and administrators areconstantly seeking ways to enhance their capabilities to effectivelyprotect their cyber units. This paper explores how advanced deeplearning techniques can help boost security monitoring capabilitiesby utilizing them throughout all stages of log processing. Thepresented platform has the potential to fundamentally transformand bring about a significant change in the field of securitymonitoring with advanced AI capabilities. The study includes adetailed comparison of modern log collection platforms, with thegoal of determining the most effective approach. The key benefitsof the proposed solution are its scalability and multipurposenature. The platform integrates an open source solution andallows the organization to connect any event log sources or theentire SIEM solution, normalize and filter data, and use thisdata to train and deploy different AI models to perform differentsecurity monitoring tasks more efficiently.
|
|
|
Application for collecting security event logs from computer infrastructure
Žernovič, Michal ; Dobiáš, Patrik (oponent) ; Safonov, Yehor (vedoucí práce)
Computer infrastructure runs the world today, so it is necessary to ensure its security, and to prevent or detect cyber attacks. One of the key security activities is the collection and analysis of logs generated across the network. The goal of this bachelor thesis was to create an interface that can connect a neural network to itself to apply deep learning techniques. Embedding artificial intelligence into the logging process brings many benefits, such as log correlation, anonymization of logs to protect sensitive data, or log filtering for optimization a SIEM solution license. The main contribution is the creation of a platform that allows the neural network to enrich the logging process and thus increase the overall security of the network. The interface acts as an intermediary step to allow the neural network to receive logs. In the theoretical part, the thesis describes log files, their most common formats, standards and protocols, and the processing of log files. It also focuses on the working principles of SIEM platforms and an overview of current solutions. It further describes neural networks, especially those designed for natural language processing. In the practical part, the thesis explores possible solution paths and describes their advantages and disadvantages. It also analyzes popular log collectors (Fluentd, Logstash, NXLog) from aspects such as system load, configuration method, supported operating systems, or supported input log formats. Based on the analysis of the solutions and log collectors, an approach to application development was chosen. The interface was created based on the concept of a REST API that works in multiple modes. After receiving the records from the log collector, the application allows saving and sorting the records by origin and offers the user the possibility to specify the number of records that will be saved to the file. The collected logs can be used to train the neural network. In another mode, the interface forwards the logs directly to the AI model. The ingestion and prediction of the neural network are done using threads. The interface has been connected to five sources in an experimental network.
|
|
|
A Tool for Creating Log Message Patterns
Hanus, Igor ; Janoušek, Vladimír (oponent) ; Smrčka, Aleš (vedoucí práce)
The thesis aims to create a portable web application for processing logs using combinations of Grok patterns and regular expressions to create a pattern for individual log messages with the possibility of exporting them into YAML format that can be processed by the tool Plogchecker. The application was implemented using the React JavaScript library using the TypeScript language. Processing of individual regular expressions is achieved using the Oniguruma library, which is integrated into the application using WebAssembly. The reason for using the Oniguruma library was the incompatibility between regular expression compilers specified by the ECMAScript standard and compilers used for Grok patterns. Automated testing and user testing were conducted, and identified flaws were addressed.
|
|
|
Support for Dynamic Config Reload Inside Rsyslog
Lakatos, Attila ; Češka, Milan (oponent) ; Rogalewicz, Adam (vedoucí práce)
Logs are one of the most valuable assets when it comes to IT system management and mon- itoring. As they record every action that took place on a machine, logs provide the insight system administrators need to spot issues that might impact performance, compliance, and security. For this reason, the rsyslog software utility can be used as it offers the ability to accept inputs from a wide variety of sources, transform them, and output the results to diverse destinations by a set of rules. One shortcoming the software currently has is that it needs to be restarted in order to modify the rule set. The author of this master's thesis points out what types of problems a user might encounter during this period of time, such as messages entering the system are lost, TCP/UDP based connections are disturbed, even if no changes are made. The goal of this thesis is to design and implement an option, which allows users to dynamically reload configuration for core components without the need of a full restart. The improvements aim to address problems raised by the research, as well as increase performance by reusing already existing resources.
|
|
|
Vývoj korelačních pravidel pro detekci kybernetických útoků
Dzadíková, Slavomíra ; Safonov, Yehor (oponent) ; Martinásek, Zdeněk (vedoucí práce)
Diplomová práca sa zaoberá problematikou efektívneho spracovávania logových záznamov a ich následnou analýzou pomocou korelačných pravidiel. Cieľom práce bolo implementovať spracovávanie logových záznamov do štruktúrovanej podoby, extrahovať jednotlivé polia záznamu pomocou modelu pre spracovanie prirodzeného jazyka riešením úlohy zodpovedania otázok, a vyvinúť korelačné pravidlá pre detekciu škodlivého správania. Počas riešenia zadania boli vyhotovené dve dátové sády, jedna so záznamami zo zariadení Windows, druhá obsahuje záznamy z firewallu Fortigate. Vytvorené modely na báze predtrénovaných modelov s architektúrou BERT a XLNet, ktoré boli doučené na riešenie problému parsovania logov pomocou vyhotovených datasetov a ich výsledky boli analyzované a porovnané. Druhá čásť diplomovej práce bola venovaná vývoju korelačných pravidiel, kde bol skúmaný koncept obecného zápisu Sigma. Bolo vytvorených a úspešne otestovaných šesť pravidiel, ktoré boli nasadené vo vlastnom experimentálnom pracovisku v systéme Elastic Stack, pričom každé pravidlo je popísané taktikami, technikami a subtechnikami frameworku MITRE ATT&CK.
|
|
|
Detection of Cyber Attacks in Local Networks
Sasák, Libor ; Gerlich, Tomáš (oponent) ; Malina, Lukáš (vedoucí práce)
This bachelor thesis focuses on the detection of attacks in the local network and the use of open source tools for this purpose. The first chapter deals with cyber attacks and also describes some of them. The second chapter focuses primarily on intrusion detection systems in general and also mentions and describes some open source systems. The third chapter briefly deals with the general division of attack detection methods. The fourth chapter introduces and describes the selected tool Suricata, which is also tested in the fifth chapter in the detection of various attacks, during which the behaviour and output of this tool are tracked. In the sixth chapter, the ARPwatch tool is presented and tested for ARP spoofing attack detection. The seventh and eighth chapters deal with the design and successful implementation of an attack detection system that provides output in the form of logs indicating malicious or suspicious traffic on the network. The ninth chapter deals with the design and implementation of the application with a graphical user interface, which clearly presents the mentioned logs and also allows other operations, including the essential control of the detection tools.
|
host ::
RSS.