Augmented DDoS Mitigation with Reputation Scores
Autoři
Jánský, T.; Čejka, T.; Žádník, M.; Bartoš, V.
Rok
2018
Publikováno
Proceedings of the 13th International Conference on Availability, Reliability and Security. New York: ACM, 2018. ARES 2018. ISBN 978-1-4503-6448-5.
Typ
Stať ve sborníku
Pracoviště
Anotace
Network attacks, especially DoS and DDoS attacks, are a significant threat for all providers of services or infrastructure. The biggest attacks can paralyze even large-scale infrastructures of worldwide companies. Attack mitigation is a complex issue studied by many researchers and security companies. While several approaches were proposed, there is still space for improvement. This paper proposes to augment existing mitigation heuristic with knowledge of reputation score of network entities. The aim is to find a way to mitigate malicious traffic present in DDoS amplification attacks with minimal disruption to communication of legitimate traffic.
P4-To-VHDL: Automatic generation of high-speed input and output network blocks
Autoři
Benáček, P.; Puš, V.P.; Kubátová, H.; Čejka, T.
Rok
2018
Publikováno
Microprocessors and Microsystems. 2018, 56 22-33. ISSN 0141-9331.
Typ
Článek
Pracoviště
Anotace
High-performance embedded architectures typically contain many stand-alone blocks which communicate and exchange data; additionally a high-speed network interface is usually needed at the boundary of the system. The software-based data processing is typically slow which leads to a need for hardware accelerated approaches. The problem is getting harder if the supported protocol stack is rapidly changing. Such problem can be effectively solved by the Field Programmable Gate Arrays and high-level synthesis which together provide a high degree of generality. This approach has several advantages like fast development or possibility to enable the area of packet-oriented communication to domain oriented experts. However, the typical disadvantage of this approach is the insufficient performance of generated system from a high-level description. This can be a serious problem in the case of a system which is required to process data at high packet rates. This work presents a generator of high-speed input (Parser) and output (Deparser) network blocks from the P4 language which is designed for the description of modern packet processing devices. The tool converts a P4 description to a synthesizable VHDL code suitable for the FPGA implementation. We present design, analysis and experimental results of our generator. Our results show that the generated circuits are able to process 100 Gbps traffic with fairly complex protocol structure at line rate on Xilinx Virtex-7 XCVH580T FPGA. The approach can be used not only in networking devices but also in other applications like packet processing engines in embedded cores because the P4 language is device and protocol independent.
Enhanced Flow Monitoring with P4 Generated Flexible Packet Parser
Autoři
Čejka, T.; Velan, P.; Havránek, J.; Benáček, P.
Rok
2018
Publikováno
Proceedings of the 12th International Conference on Autonomous Infrastructure, Management and Security. Laxenburg: International Federation for Information Processing, 2018. p. 21-32. ISBN 978-3-903176-12-6.
Typ
Stať ve sborníku
Pracoviště
Anotace
Passive network flow monitoring provides visibility into network traffic. It is necessary for many applications such as accounting, network management, and security. As its origins are in packet switching and routing devices, the common flow exporter implementations process only necessary packet headers. Link layer protocols are often skipped, and only the first network and transport layer headers are used to construct flow records. However, the network traffic is gradually becoming much more complex as new protocols are being used in practice. We present a novel multi-layer flow monitoring approach that handles complex protocol encapsulation. To process packets with an arbitrary number of protocols, we have created a new packet parser based on the P4 language, which is easily extensible and widely used in SDN networks. We
argue that the new multi-layer flow monitoring approach provides more precise and detailed statistics about the traffic of overlay networks at a backbone level.
Hunting SIP Authentication Attacks Efficiently
Autoři
Jánský, T.; Čejka, T.; Bartoš, V.
Rok
2017
Publikováno
Security of Networks and Services in an All-Connected World. Basel: Springer, 2017. p. 125-130. ISSN 0302-9743. ISBN 978-3-319-60773-3.
Typ
Stať ve sborníku
Pracoviště
Anotace
Extended flow records with application layer (L7) information allow for detection of various types of malicious traffic. Voice over IP (VoIP) is an example of technology that works on L7 and many attacks against it cannot be reliably detected using just basic flow information. Session Initiation Protocol (SIP), which is commonly used for VoIP signalling, is a frequent target of many types of attacks. This paper proposes and evaluates a novel algorithm for near real time detection of username scanning and password guessing attacks on SIP servers. The detection is based on analysis of L7 extended flow records.
Preserving Relations in Parallel Flow Data Processing
Autoři
Čejka, T.; Žádník, M.
Rok
2017
Publikováno
Security of Networks and Services in an All-Connected World. Basel: Springer, 2017. p. 153-156. ISSN 0302-9743. ISBN 978-3-319-60773-3.
Typ
Stať ve sborníku
Pracoviště
Anotace
Network monitoring produces high volume of data that must be analyzed ideally in near real-time to support network security operations. It is possible to process the data using Big Data frameworks, however, such approach requires adaptation or complete redesign of processing tools to get the same results. This paper elaborates on a parallel processing based on splitting a stream of flow records. The goal is to create subsets of traffic that contain enough information for parallel anomaly detection. The paper describes a methodology based on so called witnesses that helps to scale up without any need to modify existing algorithms.
Making Flow-Based Security Detection Parallel
Autoři
Švepeš, M.; Čejka, T.
Rok
2017
Publikováno
Security of Networks and Services in an All-Connected World. Basel: Springer, 2017. p. 3-15. ISSN 0302-9743. ISBN 978-3-319-60773-3.
Typ
Stať ve sborníku
Pracoviště
Anotace
Flow based monitoring is currently a standard approach suitable for large networks of ISP size. The main advantage of flow processing is a smaller amount of data due to aggregation. There are many reasons (such as huge volume of transferred data, attacks represented by many flow records) to develop scalable systems that can process flow data in parallel. This paper deals with splitting a stream of flow data in order to perform parallel anomaly detection on distributed computational nodes. Flow data distribution is focused not only on uniformity but mainly on successful detection. The results of an experimental analysis show that the proposed approach does not break important semantic relations between individual flow records and therefore it preserves detection results. All experiments were performed using real data traces from Czech National Education and Research Network.
Gateway for IoT Security
Autoři
Čejka, T.; Švepeš, M.; Viktorin, J.
Rok
2017
Publikováno
Proceedings of the 5th Prague Embedded Systems Workshop. Praha: katedra číslicového návrhu, 2017. ISBN 978-80-01-06178-7.
Typ
Stať ve sborníku
Pracoviště
Anotace
In the last years, many devices and systems containing electronics were equipped with communication interfaces and it allowed people to read data from them and control the functionality of the devices remotely. Using the communication interfaces, it was possible to let devices communicate between each other without human interaction. The current state-of-the-art call this phenomenon as an Internet of Things (IoT).
This kind of automation helps people to improve their lives and therefore in many cases people can become dependent on the devices. In some cases, the security of the devices and their communication is crucial. Unfortunately, as some of the manufacturers focus on low price, many devices and technologies are not secured enough.
There is a research project called Secure Gateway for Internet of Things (SIoT) with several participants from the Czech academic institutions. The main goal of the project is a gateway based on open source technologies for secure deployment and operation of IoT devices.
NEMEA: A Framework for Network Traffic Analysis
Autoři
Čejka, T.; Bartoš, V.; Švepeš, M.; Rosa, Z.; Kubátová, H.
Rok
2016
Publikováno
12th International Conference on Network and Service Management. Montreal: IEEE, 2016. p. 195-201. ISSN 2165-963X. ISBN 978-3-901882-85-2.
Typ
Stať ve sborníku
Pracoviště
Anotace
Since network attacks become more sophisticated, it is difficult to discover them using traditional analysis tools. For some kinds of attacks, it is necessary to analyze Application Layer (L7) information in order to detect them. However, there is a lack of existing tools capable of L7 processing and manipulation. Therefore, we propose a flow-based modular Network Measurements Analysis (NEMEA) system to overcome the situation. NEMEA is designed with respect to a stream-wise concept, i. e. data are analyzed continuously in memory with minimal data storage. NEMEA is developed as an open-source project and is publicly available for world-wide community. It is designed for both experimental and operational use. It is able to process off-line traffic traces as well as live network flows. The system is very flexible and can be easily extended by new modules. The modules are developed within a NEMEA framework that is a key component of the project. NEMEA thus represents a unified platform for research and development of new traffic analysis methods. It covers several important topics not limited to analysis and detection. Some of them are described in this paper. Originally, NEMEA has been developed for the purposes of Czech National Research and Education Network operator. Therefore, it is focused on handling high speed network traffic with links working at 100 Gbps.
Building a Feedback Loop to Capture Evidence of Network Incidents
Autoři
Rosa, Z.; Čejka, T.; Žádník, M.; Puš, V.
Rok
2016
Publikováno
12th International Conference on Network and Service Management. Montreal: IEEE, 2016. p. 292-296. ISSN 2165-963X. ISBN 978-3-901882-85-2.
Typ
Stať ve sborníku
Pracoviště
Anotace
Flow measurement is extremely useful in network management, however, in some cases it is vital to observe the packets in full detail. To this end, we propose combining flow measurement, packet capture and network behavioral analysis. The evaluation of the proposed system shows its feasibility even in high-speed network environment.
Analysis of Vertical Scans Discovered by Naive Detection
Autoři
Čejka, T.; Švepeš, M.
Rok
2016
Publikováno
Management and Security in the Age of Hyperconnectivity. Cham: Springer International Publishing, 2016. p. 165-169. 9701. ISSN 0302-9743. ISBN 978-3-319-39813-6.
Typ
Stať ve sborníku
Pracoviště
Anotace
Network scans are very common and frequent events that appear in almost every network. Generally, the scans are quite harmless. Scanning can be useful for network operators, who need to know state of their infrastructures. Contrary, scans can be used also for gathering sensitive information by attackers. This paper describes a simple detection method that was used to detect vertical scans. Our aim is to show results of long-term measurement on backbone network and to show that it is possible to detect scans efficiently even with a simple method. The paper presents several interesting statistics that characterize network behavior and scanning frequency in a large high-speed national academic network.
Detecting Spoofed Time in NTP Traffic
Autoři
Čejka, T.; Robledo, A.
Rok
2016
Publikováno
Proceedings of the 4th Prague Embedded Systems Workshop. Praha: ČVUT FIT, Katedra číslicového návrhu, 2016. pp. 49-52. ISBN 978-80-01-05984-5.
Typ
Stať ve sborníku
Pracoviště
Anotace
Almost every device connected into a computer network uses its own system time. In order to maintain precise system time, various time synchronization protocols are used. Such protocols allow for automatic adaptation of system time to keep it precise as much as possible. This paper deals with detection of possible exploit of vulnerability of the mostly used Network Time Protocol (NTP). Using spoofed NTP messages, an attacker is able to modify the system time of victims. Bad system time might lead to crucial security threats such as usage of already-expired certificated or cache poisoning or clearing.
Overload-resistant Network Traffic Analysis
Autoři
Švepeš, M.; Čejka, T.
Rok
2016
Publikováno
Proceedings of the 4th Prague Embedded Systems Workshop. Praha: ČVUT FIT, Katedra číslicového návrhu, 2016. pp. 53-58. ISBN 978-80-01-05984-5.
Typ
Stať ve sborníku
Pracoviště
Anotace
Flow-based monitoring is currently a leading approach of network security analysis. A flow record is an aggregated information about network traffic. Since various network attacks use just a few packets per flow, the advantage of aggregation is seriously limited. As a side effect, monitoring infrastructure and analysis system are affected. This paper proposes an overload-resistant architecture of the detection system that would overcome high load of flow records in time of attack.
Nemea: Searching for Botnet Footprints
Autoři
Čejka, T.; Bodó, R.; Kubátová, H.
Rok
2015
Publikováno
Proceedings of the 3rd Prague Embedded Systems Workshop. Praha: ČVUT FIT, Katedra číslicového návrhu, 2015. pp. 11-16. ISBN 978-80-01-05776-6.
Typ
Stať ve sborníku
Pracoviště
Anotace
Malicious network traffic originated by malware means a serious threat. Current malware is designed to hide itself from the eyes of victim users as well as network administrators. It is very difficult or impossible to discover such traffic using traditional ways of flow-based monitoring. This paper describes a network traffic analysis of a backbone network as an attempt to discover infected devices. Cooperation with forensic laboratory and analysis of samples of malware allow to gain information that can lead to find unwanted traffic. Special tailored Nemea framework with high speed monitoring pipeline was used to discover infected devices on the network.
Easy configuration of NETCONF devices
Autoři
Alexa, D.; Čejka, T.
Rok
2015
Publikováno
Proceedings of the 3rd Prague Embedded Systems Workshop. Praha: ČVUT FIT, Katedra číslicového návrhu, 2015. pp. 3-9. ISBN 978-80-01-05776-6.
Typ
Stať ve sborníku
Pracoviště
Anotace
It is necessary for developers of devices or systems to supply a user interface that can be used for control and monitoring. Visualisation of device’s configuration and state data belongs to non-trivial tasks as well as preparation of easy mechanism of configuration for end users. This paper is focused on universal graphical user interface for NETCONF protocol NetopeerGUI that is developed as an open-source project.NetopeerGUI is based on usage of standard technologies such as configuration protocol NETCONF and modeling language Yang, oth standardized by IETF. NetopeerGUI is a NETCONF client that can be easily used as a user interface for configuration and control of any device supporting NETCONF protocol. NetopeerGUI provides basic universal way of data presentation that helps developers to concentrate on device development. This paper proposes NetopeerGUI as an interface that can be deployed on a system to supply remote configuration and monitoring through the web browser and that can increase the speed of development process.
Using Application-Aware Flow Monitoring for SIP Fraud Detection
Autoři
Čejka, T.; Bartoš, V.; Truxa, L.; Kubátová, H.
Rok
2015
Publikováno
Intelligent Mechanisms for Network Configuration and Security. Cham: Springer International Publishing, 2015. p. 87-99. ISSN 0302-9743. ISBN 978-3-319-20033-0.
Typ
Stať ve sborníku
Pracoviště
Anotace
Flow monitoring helps to discover many network security threats targeted to various applications or network protocols. In this paper, we show usage of the flow data for analysis of a Voice over IP (VoIP) traffic and a threat detection. A traditionally used flow record is insufficient for this purpose and therefore it was extended by application-layer information. In particular, we focus on the Session Initiation Protocol (SIP) and the type of a toll-fraud in which an attacker tries to exploit poor configuration of a private branch exchange (PBX). The attacker’s motivation is to make unauthorized calls to PSTN numbers that are usually charged at high rates and owned by the attacker. As a result, a successful attack can cause a significant financial loss to the owner of PBX. We propose a method for stream-wise and near real-time analysis of the SIP traffic and detection of the described threat. The method was implemented as a module of the Nemea system and deployed on a backbone network. It was evaluated using simulated as well as real attacks.
Stream-wise Detection of Surreptitious Traffic over DNS
Autoři
Čejka, T.; Rosa, Z.; Kubátová, H.
Rok
2014
Publikováno
2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD) (CAMAD 2014). Pomona, California: IEEE Communications Society, 2014. p. 300-304. ISSN 2378-4865. ISBN 978-1-4799-5725-5.
Typ
Stať ve sborníku
Pracoviště
Anotace
The Domain Name System (DNS) belongs to crucial services in a computer network. Because of its importance, DNS is usually allowed in security policies. That opens a way to break policies and to transfer data from/to restricted area due to misusage of a DNS infrastructure. This paper is focused on a detection of communication tunnels and other anomalies in a DNS traffic. The proposed detection module is designed to process huge volume of data and to detect anomalies at near real-time. It is based on combination of statistical analysis of several observed features including application layer information. Our aim is a stream-wise processing of huge volume of DNS data from backbone networks. To achieve these objectives with minimal resource consumption, the detection module uses efficient extended data structures. The performance evaluation has shown that the detector is able to process approximately 511 thousand DNS flow records per second. In addition, according to experiments, a tunnel that lasts over 30 seconds can be detected in a minute. During the on-line testing on a real traffic from production network, the module signalized on average over 60 confirmed alerts including DNS tunnels per day.
Change-point detection method on 100 Gb/s ethernet interface
Autoři
Benáček, P.; Blažek, R.; Čejka, T.; Kubátová, H.
Rok
2014
Publikováno
Architectures for Networking and Communications Systems (ANCS), 2014 ACM/IEEE Symposium on. New York: ACM, 2014. p. 245-246. ISBN 978-1-4503-2839-5.
Typ
Stať ve sborníku
Anotace
This paper deals with hardware acceleration of statistical methods for detection of anomalies on 100Gb/s Ethernet. The approach is demonstrated by implementing a sequential Non-Parametric Cumulative Sum (NP-CUSUM) procedure. We use high-level synthesis in combination with emerging software defined monitoring (SDM) methodology for rapid development of FPGA-based hardware-accelerated network monitoring applications. The implemented method offloads detection of network attacks and anomalies directly into an FPGA chip. The parallel nature of FPGA allows for simultaneous detection of various kinds of anomalies. Our results show that hardware acceleration of statistical methods using the SDM concept with high-level synthesis from C/C++ is possible and very promising for traffic analysis and anomaly detection in high-speed 100Gb/s networks.
FPGA Accelerated Change-Point Detection Method for 100 Gb/s Networks
Autoři
Čejka, T.; Kekely, L.; Benáček, P.; Blažek, R.; Kubátová, H.
Rok
2014
Publikováno
MEMICS proceedings. Brno: NOVPRESS, 2014. pp. 40-51. ISBN 978-80-214-5022-6.
Typ
Stať ve sborníku
Anotace
The aim of this paper is a hardware realization of a statistical anomaly detection method as a part of high-speed monitoring probe for computer networks. The sequential Non-Parametric Cumulative Sum (NP-CUSUM) procedure is the detection method of our choice and we use an FPGA based accelerator card as the target platform. For rapid detection algorithm development, a high-level synthesis (HLS) approach is applied. Furthermore, we combine HLS with the usage of Software Defined Monitoring (SDM) framework on the monitoring probe, which enables easy deployment of various hardware-accelerated monitoring applications into high-speed networks. Our implementation of NP-CUSUM algorithm serves as hardware plug-in for SDM and realizes the detection of network attacks and anomalies directly in FPGA. Additionally, the parallel nature of the FPGA technology allows us to realize multiple different detections simultaneously without any losses in throughput. Our experimental results show the feasibility of HLS and SDM combination for effective realization of traffic analysis and anomaly detection in networks with speeds up to 100 Gb/s.