Bachelor theses
Classification of actions transmitted through encrypted TLS connections
Author
Zdena Tropková
Year
2021
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
doc. Ing. Tomáš Čejka, Ph.D.
Department
Summary
This bachelor's thesis deals with the analysis and flow-based classification of encrypted TLS (Transport Layer Security) traffic. The first part describes an annotated dataset created from real network traffic and analyses of TLS connections. There are six categories of network traffic distinguished in total. The second part of the thesis focuses on the implementation of a classifier utilizing packet and burst information for recognizing actions transmitted over an encrypted connection. The classification results are analyzed and possible reasons for misclassification are discussed. The outcome of the thesis is a prototype that enables the classification of real network traffic.
Classification of traffic transmitted using the QUIC protocol
Author
Andrej Lukačovič
Year
2021
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jan Fesl, Ph.D.
Department
Summary
This work deals with designing and implementing an algorithm capable of encrypted traffic classification of protocol QUIC into several traffic categories. The theoretical part thoroughly analyzes the specification of the QUIC protocol, its operation, and the architecture of flow-based network monitoring infrastructure. In order to create and also evaluate the algorithm, we have created a labeled dataset of QUIC communication. The dataset is then analyzed for the identification of the essential properties of individual classes. These properties are then used in the feature vector for the Machine Learning algorithm, which achieves an accuracy of more than 93\,\%. As a result, we implemented a prototype capable of accurate QUIC classification able to process more than 30 000 flows per second.
Automated Creation of TLS Fingerprinting Database
Author
Anton Aheyeu
Year
2022
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
doc. Ing. Tomáš Čejka, Ph.D.
Department
Summary
This thesis is about the design and implementation of the pytrap module for the NEMEA system which enables the acquisition of information about application process identification using the TLS fingerprinting database. The plugin for the ipfixprobe network flow exporter has been developed to automatically create a TLS fingerprint database, which uses the osquery framework. In the theoretical part, we introduce the basic terms and principles of network monitoring and the TLS protocol, describe how the plugin obtains information about process identification and the process of creating a TLS fingerprinting database. Based on the theoretical part, we have implemented the pytrap module, the plugin for the flow exporter and an additional program for creating a TLS fingerprinting database described in the practical part of the thesis. The test results confirm the functionality and show the success rate of the created module and plugin.
Crypto-currency miner detection from extended IP flow data
Author
Richard Plný
Year
2022
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Dostál, Ph.D.
Department
Summary
This bachelor thesis addresses cryptomining from the security perspective with an emphasis on abusive mining. It explores the possibilities of detection of cryptominers in high-speed computer networks using a flow-based monitoring approach. A setup for continuous traffic capture is proposed and used for creating datasets with real-world miners' traffic. Furthermore, a detection method is proposed, capable of operation on high-speed networks. The proposed solution was implemented as a group of NEMEA modules. Moreover, it was deployed and evaluated on the national network CESNET2 operated by CESNET.
Real-time Network Flow Control using Machine Learning and OVS
Author
Štěpán Šimek
Year
2023
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Tomáš Vondra, Ph.D.
Department
Summary
Real-time communication using online collaboration platforms plays an important role in everyday business operations. Its prioritization in our networks can help mitigate problems imposed by the network's limitations. This thesis aims to design a prioritization solution for real-time protocol. The solution utilizes machine learning for real-time traffic recognition and Open vSwitch subsystem for prioritization. The solution was designed based on a thorough study of related works. Anonymized network traffic dataset was captured on real-world ISP lines. Additionally, the prioritization software prototype was implemented into open-source flow exporter IPFIXprobe and tested using a small home-office router Turris.
Zeek system extension for unirec output
Author
Matyáš Lhota
Year
2024
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Martin Šutovský
Department
Summary
This thesis presents the design and implementation of a Zeek extension that enables organizations with existing Zeek implementations to leverage the capabilities of the NEMEA system. Despite Zeek's comprehensive network monitoring capabilities, compared to NEMEA, it does not natively support Python, which can be used for machine learning analysis. To overcome such shortcomings, the project introduces a plugin that facilitates the export of extended flow statistics to NEMEA, similar to the IPFIXprobe flow exporter. The main challenge is integrating the extension with Zeek's core C++ API and NEMEA framework libraries, which is necessary for an effective individual packet analysis and data export in UniRec format. Extensive testing ensures the extension provides accurate data without disrupting Zeek's overall performance. By introducing this extension, Zeek users can now seamlessly leverage all of NEMEA's capabilities and enhance their security posture.
Implementation of DNS over HTTPS Detector
Author
Ondřej Hrdlička
Year
2024
Type
Bachelor thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Martin Šutovský
Department
Summary
This bachelor thesis describes the creation of a DNS over HTTPS (DoH) network detector integrated within the NEMEA system. Network monitoring tools face challenges in detecting DNS queries since malware creators utilize encrypted DNS protocols. This work focuses on the implementation of the detector which combines three different detection methods--IP-based blocklist, machine learning classification, and active verification. Evaluation on a real-world dataset demonstrates the effectiveness of the detector in identifying DoH traffic with high accuracy while using only standard flow telemetry. Implementing the proposed detector within the NEMEA framework offers a deployable solution for high-speed networks, which can help prevent numerous security threats.
Master theses
Detection of HTTPS brute-force attacks in high-speed computer networks
Author
Jan Luxemburk
Year
2020
Type
Master thesis
Supervisor
Ing. Karel Hynek
Reviewers
Ing. Tomáš Čejka, Ph.D.
Department
Summary
This thesis presents a review of flow-based network threat detection, with the focus on brute-force attacks against popular web applications, such as WordPress and Joomla. A new dataset was created that consists of benign backbone network traffic and brute-force attacks generated with open-source attack tools. The thesis proposes a method for brute-force attack detection that is based on packet-level characteristics and uses modern machine-learning models. Also, it works with encrypted HTTPS traffic, even without decrypting the payload. More and more network traffic is being encrypted, and it is crucial to update our intrusion detection methods to maintain at least some level of network visibility.
Detection of IoT Malware in Computer Networks
Author
Daniel Uhříček
Year
2021
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Dostál, Ph.D.
Department
Summary
This master thesis deals with the problematics of IoT malware and the possibilities of its detection in computer networks using flow-based monitoring concepts. We exhibit solutions for each of the identified critical aspects of IoT malware network behavior separately. Furthermore, we propose a novel method to discover infected devices using a combination of network indicators. The proposed detection method was implemented in the form of a software prototype capable of processing real network traffic as part of the NEMEA system. The final solution was evaluated both on anonymized captures and up-to-date malware samples.
Classification of SSH protocol communication
Author
Radek Smejkal
Year
2021
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Dostál, Ph.D.
Department
Summary
This work focuses on the issue of SSH protocol encrypted traffic in terms of network security monitoring and its subsequent classification with emphasis on the authentication phase.
The aim of this work is to perform an SSH protocol analysis using intercepted communication and the protocol definition itself to reveal specific features of various situations. The outputs of the analysis are then implemented into a software prototype. The detection algorithm is designed with regard to high throughput so that it is also suitable for high-speed networks, where due to performance reasons is not possible to inspect all individual packets.
Captured traffic from a real network is used to evaluate the accuracy of the detector and in most situations the prototype achieves very accurate results. At the end of work, possible measures to increase the accuracy in unusual situations or in the less common connection parameters are discussed.
Machine-learning based network traffic classification
Author
Matej Hulák
Year
2022
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Simona Fornůsek, Ph.D.
Department
Summary
This thesis focuses on the aspects and factors which affect the success of network traffic classification using machine learning. The first part of the thesis describes the basics of computer networks and their monitoring, existing classification methods and machine learning principles. The practical part of the thesis explores the possibilities of classifying network traffic using datasets of various features and different machine learning methods. The final part of the thesis deals with the design and development of a classification module for the NEMEA system, which is able to classify extended network flows in real time.
The outcome of this thesis includes an annotated dataset containing extended network flows, a set of experiments exploring the possibilities of classifying network flows, and a classification module for the NEMEA system.
Detection of DNS over TLS covert channels
Author
Lukáš Melcher
Year
2022
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Buček, Ph.D.
Department
Summary
Privacy protection of users in the online world is a frequently discussed topic. However, the DNS protocol is unencrypted and easy readable while sniffing. Several encrypted alternatives have been proposed as a solution. Nevertheless, there are security risks associated with the use of these protocols. This work analyzes encrypted DNS and primarily focuses on the risk of tunneling using DNS over TLS. It also provides an overview of the qualitative characteristics of DoT providers and discusses the suitability of their use in workstation configurations.
The main output is the design and implementation of a prototype of DoT tunneled traffic detector. In the end, its success is criticized and possibilities for improvement are discussed.
Detection of DNS over HTTPS abuse
Author
Dmitrii Vekshin
Year
2023
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Simona Fornůsek, Ph.D.
Department
Summary
This study is provide deep analysis of DNS-over-HTTPS protocol with focusing on DNS-over-HTTPS related malware. Another part of this work focuses on DNS-over-HTTPS tunnel problematic with creating a prototype to detect it. The contribution of this work is introducing of novel approach of DNS-over-HTTPS tunnel data capturing and applying this approach to create world wide distributed capturing infrastructure to simulate action of real DNS-over-HTTPS behaviour in different environments.
Detection of VPN traffic using automaton
Author
Jan Jirák
Year
2023
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Dostál, Ph.D.
Department
Summary
This work deals with the issue of VPN traffic detection from the view of net-
work monitoring. An automaton that will perform this detection is designed.
After researching other solutions for this problems, new solution based on
an automaton capturing a typical representation of a TCP handshake in real
traffic is proposed. This solution is then explored in more detail in a Python
prototype based on the data captured by the supervisor. After establishing
the theoretical performance on these data, the prototype is implemented into
the IPFIXprobe exporter and this implementation is tested again on real data.
Detection of phishing domains in high-speed networks
Author
Jakub Osmani
Year
2024
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Simona Fornůsek, Ph.D.
Department
Summary
This thesis is focused on the issue of phishing domain detection in high-speed networks, based on aggregated flow data of the CESNET network. The practical output of this thesis is a module for the NEMEA traffic analysis system, that filters large volumes of data and decides if a domain is malicious based on a set of indicators. As part of the thesis we also include an analysis of indicators unfit for this task as well as a practical dive into phishing in the Czech Republic.
Network Traffic Analysis Using Weak Indicators
Author
Richard Plný
Year
2024
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Dostál, Ph.D.
Department
Summary
This thesis studies methods for network traffic classification, threat detection, and network security monitoring. Moreover, a new software library called Weak Indication Framework (WIF) is introduced to ease the development of new threat detector systems. The WIF supports systems with high explainability and high performance for high-speed networks. Several detectors are also developed to demonstrate the usability of the WIF. Furthermore, all developed detectors were successfully deployed to the national network CESNET3 with more than half a million users.
QUIC traffic dataset creation and analysis
Author
Andrej Lukačovič
Year
2024
Type
Master thesis
Supervisor
Ing. Karel Hynek, Ph.D.
Reviewers
Ing. Jiří Dostál, Ph.D.
Department
Summary
The primary focus of this thesis is the creation of a QUIC plugin for the
IPFIXProbe flow exporting tool, which is capable of decrypting and obtaining various fields
from the initial stage of QUIC communication. In a later stage, we also include an analysis
that was performed on the dataset created by the plugin. Firstly a simple analysis was
conducted on the captured data. Subsequently, we formulated a hypothesis suggesting that the
User Agent and Server Name Indication pair can be used as a unique identifier. The dataset
created and partially analyzed in this thesis has been published in Data-in-Brief Journal
article.