|
Methods for Network Traffic Classification
Jacko, Michal ; Ovšonka, Daniel (referee) ; Barabas, Maroš (advisor)
This paper deals with a problem of detection of network traffic anomaly and classification of network flows. Based on existing methods, paper describes proposal and implementaion of a tool, which can automatically classify network flows. The tool uses CUDA platform for network data processing and computation of network flow metrics using graphics processing unit. Processed flows are subsequently classified by proposed methods for network anomaly detection.
|
|
Eluding and Evasion of IDS Systems
Černý, Marek ; Tobola, Jiří (referee) ; Žádník, Martin (advisor)
This paper analyzes network security devices called intrusion detection (ID) systems. In order to point out possible flaws, especially ID systems using signature analysis are examined. Based on this, methods to exploit possible vulnerabilities of these systems were designed. These methods were implemented into a simple program for ID systems efficiency evaluation. It can be used in a way entirely independent of particular network attack used in the test.
|
| |
|
Implementation Methodology of Network Security in the Software Company
Tomaga, Jakub ; Sopuch, Zbyněk (referee) ; Sedlák, Petr (advisor)
This thesis deals with network security and its deployment in the real environment of the software company. The thesis describes information management framework with a specific concentration on computer networks. Network security policy is designed as well as network infrastructure modifications in order to increase the level of security. All parts of the solution are also analyzed from financial point of view.
|
|
OMNeT++ Extension with ACL Filtering Module
Suchomel, Tomáš ; Ryšavý, Ondřej (referee) ; Matoušek, Petr (advisor)
This bachelor's thesis describes discrete simulation of network in OMNeT++. We are exploring effective representation and evaluation of ACL rules by advanced data structures based on interval decision diagrams. OMNeT++ is extended by filtering properties of packets using access control lists. Because ACL filtering is not supported in OMNeT++, it was added as a brand-new module, whose concept and implementation is described here. Practical usage of the implemented module is demonstrated on a simulation of real nontrivial network. We also analyse results of the simulation and verify them by comparison with real network behaviour.
|
| |
|
Detection of Malicious Domain Names
Setinský, Jiří ; Perešíni, Martin (referee) ; Tisovčík, Peter (advisor)
The bachelor thesis deals with the detection of artificially generated domain names (DGA). The generated addresses serve as a means of communication between the attacker and the infected computer. By detection, we can detect and track infected computers on the network. The detection itself is preceded by the study of machine learning techniques, which will then be applied in the creation of the detector. To create the final classifier in the form of a decision tree, it was necessary to analyze the principle of DGA addresses. Based on their characteristics, the attributes were extracted, according to which the final classifier will be decided. After learning the classification model on the training set, the classifier was implemented in the target platform NEMEA as a detection module. After final optimizations and testing, we achieved a accuracy of the classifier of 99%, which is a very positive result. The NEMEA module is ready for real-world deployment to detect security incidents. In addition to the NEMEA module, another model was created to predict the accuracy of datasets with domain names. The model is trained based on the characteristics of the dataset and the accuracy of the DGA detector, whose behavior we want to predict.
|
|
Reputation of Malicious Traffic Sources
Bartoš, Václav ; Lhotka,, Ladislav (referee) ; Vozňák, Miroslav (referee) ; Kořenek, Jan (advisor)
An important part of maintaining network security is collecting and processing information about cyber threats, both from network operator's own detection tools and from third parties. A commonly used type of such information are lists of network entities (IP addresses, domains, URLs, etc.) which were identified as malicious. However, in many cases, the simple binary distinction between malicious and non-malicious entities is not sufficient. It is beneficial to keep other supplementary information for each entity, which describes its malicious activities, and also a summarizing score, which evaluates its reputation numerically. Such a score allows for quick comprehension of the level of threat the entity poses and allows to compare and sort entities. The goal of this work is to design a method for such summarization. The resulting score, called Future Maliciousness Probability (FMP score), is a value between 0 and 1, assigned to each suspicious network entity, expressing the probability that the entity will do some kind of malicious activity in a near future. Therefore, the scoring is based of prediction of future attacks. Advanced machine learning methods are used to perform the prediction. Their input is formed by previously received alerts about security events and other relevant data related to the entity. The method of computing the score is first described in a general way, usable for any kind of entity and input data. Then a more concrete version is presented for scoring IPv4 address by utilizing alerts from an alert sharing system and supplementary data from a reputation database. This variant is then evaluated on a real world dataset. In order to get enough amount and quality of data for this dataset, a part of the work is also dedicated to the area of security analysis of network data. A framework for analysis of flow data, NEMEA, and several new detection methods are designed and implemented. An open reputation database, NERD, is also implemented and described in this work. Data from these systems are then used to evaluate precision of the predictor as well as to evaluate selected use cases of the scoring method.
|
| |
| |