Ing. Karel Hynek, Ph.D.

Ing. Karel Hynek, Ph.D.

Ing. Jan Fesl, Ph.D.

Department of Computer Systems

This work deals with designing and implementing an algorithm capable of encrypted traffic classification of protocol QUIC into several traffic categories. The theoretical part thoroughly analyzes the specification of the QUIC protocol, its operation, and the architecture of flow-based network monitoring infrastructure. In order to create and also evaluate the algorithm, we have created a labeled dataset of QUIC communication. The dataset is then analyzed for the identification of the essential properties of individual classes. These properties are then used in the feature vector for the Machine Learning algorithm, which achieves an accuracy of more than 93\,\%. As a result, we implemented a prototype capable of accurate QUIC classification able to process more than 30 000 flows per second.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Jiří Dostál, Ph.D.

Department of Computer Systems

This bachelor thesis addresses cryptomining from the security perspective with an emphasis on abusive mining. It explores the possibilities of detection of cryptominers in high-speed computer networks using a flow-based monitoring approach. A setup for continuous traffic capture is proposed and used for creating datasets with real-world miners' traffic. Furthermore, a detection method is proposed, capable of operation on high-speed networks. The proposed solution was implemented as a group of NEMEA modules. Moreover, it was deployed and evaluated on the national network CESNET2 operated by CESNET.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Tomáš Vondra, Ph.D.

Department of Computer Systems

Real-time communication using online collaboration platforms plays an important role in everyday business operations. Its prioritization in our networks can help mitigate problems imposed by the network's limitations. This thesis aims to design a prioritization solution for real-time protocol. The solution utilizes machine learning for real-time traffic recognition and Open vSwitch subsystem for prioritization. The solution was designed based on a thorough study of related works. Anonymized network traffic dataset was captured on real-world ISP lines. Additionally, the prioritization software prototype was implemented into open-source flow exporter IPFIXprobe and tested using a small home-office router Turris.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

doc. Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

This bachelor's thesis deals with the analysis and flow-based classification of encrypted TLS (Transport Layer Security) traffic. The first part describes an annotated dataset created from real network traffic and analyses of TLS connections. There are six categories of network traffic distinguished in total. The second part of the thesis focuses on the implementation of a classifier utilizing packet and burst information for recognizing actions transmitted over an encrypted connection. The classification results are analyzed and possible reasons for misclassification are discussed. The outcome of the thesis is a prototype that enables the classification of real network traffic.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

doc. Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

This thesis is about the design and implementation of the pytrap module for the NEMEA system which enables the acquisition of information about application process identification using the TLS fingerprinting database. The plugin for the ipfixprobe network flow exporter has been developed to automatically create a TLS fingerprint database, which uses the osquery framework. In the theoretical part, we introduce the basic terms and principles of network monitoring and the TLS protocol, describe how the plugin obtains information about process identification and the process of creating a TLS fingerprinting database. Based on the theoretical part, we have implemented the pytrap module, the plugin for the flow exporter and an additional program for creating a TLS fingerprinting database described in the practical part of the thesis. The test results confirm the functionality and show the success rate of the created module and plugin.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Jiří Buček, Ph.D.

Department of Information Security

Privacy protection of users in the online world is a frequently discussed topic. However, the DNS protocol is unencrypted and easy readable while sniffing. Several encrypted alternatives have been proposed as a solution. Nevertheless, there are security risks associated with the use of these protocols. This work analyzes encrypted DNS and primarily focuses on the risk of tunneling using DNS over TLS. It also provides an overview of the qualitative characteristics of DoT providers and discusses the suitability of their use in workstation configurations. The main output is the design and implementation of a prototype of DoT tunneled traffic detector. In the end, its success is criticized and possibilities for improvement are discussed.

Thesis on DSpace

Ing. Karel Hynek

Ing. Tomáš Čejka, Ph.D.

Department of Information Security

This thesis presents a review of flow-based network threat detection, with the focus on brute-force attacks against popular web applications, such as WordPress and Joomla. A new dataset was created that consists of benign backbone network traffic and brute-force attacks generated with open-source attack tools. The thesis proposes a method for brute-force attack detection that is based on packet-level characteristics and uses modern machine-learning models. Also, it works with encrypted HTTPS traffic, even without decrypting the payload. More and more network traffic is being encrypted, and it is crucial to update our intrusion detection methods to maintain at least some level of network visibility.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

This thesis focuses on the aspects and factors which affect the success of network traffic classification using machine learning. The first part of the thesis describes the basics of computer networks and their monitoring, existing classification methods and machine learning principles. The practical part of the thesis explores the possibilities of classifying network traffic using datasets of various features and different machine learning methods. The final part of the thesis deals with the design and development of a classification module for the NEMEA system, which is able to classify extended network flows in real time. The outcome of this thesis includes an annotated dataset containing extended network flows, a set of experiments exploring the possibilities of classifying network flows, and a classification module for the NEMEA system.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Jiří Dostál, Ph.D.

Department of Information Security

This work focuses on the issue of SSH protocol encrypted traffic in terms of network security monitoring and its subsequent classification with emphasis on the authentication phase. The aim of this work is to perform an SSH protocol analysis using intercepted communication and the protocol definition itself to reveal specific features of various situations. The outputs of the analysis are then implemented into a software prototype. The detection algorithm is designed with regard to high throughput so that it is also suitable for high-speed networks, where due to performance reasons is not possible to inspect all individual packets. Captured traffic from a real network is used to evaluate the accuracy of the detector and in most situations the prototype achieves very accurate results. At the end of work, possible measures to increase the accuracy in unusual situations or in the less common connection parameters are discussed.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Jiří Dostál, Ph.D.

Department of Theoretical Computer Science

This work deals with the issue of VPN traffic detection from the view of net- work monitoring. An automaton that will perform this detection is designed. After researching other solutions for this problems, new solution based on an automaton capturing a typical representation of a TCP handshake in real traffic is proposed. This solution is then explored in more detail in a Python prototype based on the data captured by the supervisor. After establishing the theoretical performance on these data, the prototype is implemented into the IPFIXprobe exporter and this implementation is tested again on real data.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

This study is provide deep analysis of DNS-over-HTTPS protocol with focusing on DNS-over-HTTPS related malware. Another part of this work focuses on DNS-over-HTTPS tunnel problematic with creating a prototype to detect it. The contribution of this work is introducing of novel approach of DNS-over-HTTPS tunnel data capturing and applying this approach to create world wide distributed capturing infrastructure to simulate action of real DNS-over-HTTPS behaviour in different environments.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Jiří Dostál, Ph.D.

Department of Information Security

This master thesis deals with the problematics of IoT malware and the possibilities of its detection in computer networks using flow-based monitoring concepts. We exhibit solutions for each of the identified critical aspects of IoT malware network behavior separately. Furthermore, we propose a novel method to discover infected devices using a combination of network indicators. The proposed detection method was implemented in the form of a software prototype capable of processing real network traffic as part of the NEMEA system. The final solution was evaluated both on anonymized captures and up-to-date malware samples.

Thesis on DSpace

Ing. Karel Hynek, Ph.D.

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

This thesis is focused on the issue of phishing domain detection in high-speed networks, based on aggregated flow data of the CESNET network. The practical output of this thesis is a module for the NEMEA traffic analysis system, that filters large volumes of data and decides if a domain is malicious based on a set of indicators. As part of the thesis we also include an analysis of indicators unfit for this task as well as a practical dive into phishing in the Czech Republic.

Thesis on DSpace