Computer Networks

Proceedings paper

10.1109/CNSM.2016.7818417

Department of Digital Design

Since network attacks become more sophisticated, it is difficult to discover them using traditional analysis tools. For some kinds of attacks, it is necessary to analyze Application Layer (L7) information in order to detect them. However, there is a lack of existing tools capable of L7 processing and manipulation. Therefore, we propose a flow-based modular Network Measurements Analysis (NEMEA) system to overcome the situation. NEMEA is designed with respect to a stream-wise concept, i. e. data are analyzed continuously in memory with minimal data storage. NEMEA is developed as an open-source project and is publicly available for world-wide community. It is designed for both experimental and operational use. It is able to process off-line traffic traces as well as live network flows. The system is very flexible and can be easily extended by new modules. The modules are developed within a NEMEA framework that is a key component of the project. NEMEA thus represents a unified platform for research and development of new traffic analysis methods. It covers several important topics not limited to analysis and detection. Some of them are described in this paper. Originally, NEMEA has been developed for the purposes of Czech National Research and Education Network operator. Therefore, it is focused on handling high speed network traffic with links working at 100 Gbps.

Proceedings paper

Department of Digital Design

Malicious network traffic originated by malware means a serious threat. Current malware is designed to hide itself from the eyes of victim users as well as network administrators. It is very difficult or impossible to discover such traffic using traditional ways of flow-based monitoring. This paper describes a network traffic analysis of a backbone network as an attempt to discover infected devices. Cooperation with forensic laboratory and analysis of samples of malware allow to gain information that can lead to find unwanted traffic. Special tailored Nemea framework with high speed monitoring pipeline was used to discover infected devices on the network.

Proceedings paper

Department of Computer Systems

The aim of this work is a Nemea system for network traffic analysis and anomaly detection in computer networks. It is a distributed modular system that can be used for existing detection methods comparison and for easy and rapid development and testing of new detection methods. In this context, the anomaly is understood as a state of network, when the quality of service is negatively influenced, or when some security incident ocures (eventually both cases). These states should be detected and alerted as soon as possible to network or system operators. Proposed distribution system must focus on early detection by detection methods in form of implemented pluggable modules that communicate with each other. In order to minimize average detection delay and false alarm rate it is needed to set up parameters of detection methods. Design of the mechanism of automatic estimation of optimal parameter values is the aim of my dissertation thesis.

Proceedings paper

10.1007/978-3-319-20034-7_10

Department of Digital Design

Flow monitoring helps to discover many network security threats targeted to various applications or network protocols. In this paper, we show usage of the flow data for analysis of a Voice over IP (VoIP) traffic and a threat detection. A traditionally used flow record is insufficient for this purpose and therefore it was extended by application-layer information. In particular, we focus on the Session Initiation Protocol (SIP) and the type of a toll-fraud in which an attacker tries to exploit poor configuration of a private branch exchange (PBX). The attacker’s motivation is to make unauthorized calls to PSTN numbers that are usually charged at high rates and owned by the attacker. As a result, a successful attack can cause a significant financial loss to the owner of PBX. We propose a method for stream-wise and near real-time analysis of the SIP traffic and detection of the described threat. The method was implemented as a module of the Nemea system and deployed on a backbone network. It was evaluated using simulated as well as real attacks.

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

The main part of this thesis is about design and implementation of an aggregation module for the existing network detection system NEMEA. The thesis also describes system environment of the module (i.e., related tools and systems) with existing data format used for representation of flow data. The implementation part of the thesis shows important features of the aggregation module. The functionality and performance of the developed module were evaluated and the test results confirm requirements fulfilment and the ability to process data from high-speed networks.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Theoretical Computer Science

Denial od Service attacks (DoS) have recently become more frequent and available for everyone. Attacks cause discomfort for common users and may also cause financial loss for service providers or internet service providers. This thesis deals with the detection of volumetric attacks based on real time network flow analysis. It also deals with the emergence of DoS attacks and describes existing solutions. Furthermore, it describes the design of a detection algorithm utilizing historical windows for detection of a sudden increase in traffic size. The detector is implemented as a module for NEMEA developed by CESNET, association of legal entities. Implementation details and testing of the resulting detection program are provided as well.

Thesis on DSpace