doc. Ing. Tomáš Čejka, Ph.D.

Specialist supervisor: doc. Ing. Tomáš Čejka, Ph.D.

The aim of this work will be research and development of algorithms for detection, identification, and mitigation of security threats and anomalies in computer networks, especially Internet of Things (IoT). From the perspective of network security, it is necessary to consider the IoT area as a threat not only for IoT devices but also for other devices and services in the Internet, since the IoT network can easily become a source of trouble (as it was observed in recent history). It is necessary to monitor IoT network traffic, derive meta information about the traffic based on events and device behavior, and use such meta information for identification and mitigation of threats, choosing a suitable mitigation strategy.

The goal of the dissertation thesis will be to find suitable ways to create long-term models of communication, which represent negative and positive events, and to use such models for anomaly detection, identification and mitigation of sources of troubles with low latency. Dissertability of this topic is based on non-trivial challenges such as processing and filtering huge volume of network traffic and creation of models of network traffic, discovering anomalies, identification of sources of trouble and choosing correct strategy of mitigation of malicious traffic. Contrary to classic IP networks, the IoT communication lays mainly in specific physical layers. This brings new potential attack vectors that are not detectable using ordinary IP traffic analysis. Therefore, it is needed to find new approaches to IoT traffic monitoring. The base of the work will be a research in the area of statistical methods, probabilistic models, and usage of algorithms of artificial intelligence.

Due to the modern networks bandwidth and on-line monitoring requirements, it is necessary to design and develop algorithms using a decomposition among hardware and software components and to use suitable technologies for hardware acceleration (e.g., FPGA).

The aim of this topic will be a research of algorithms for classification of encrypted network traffic, detection of security threats in high-speed computer networks, and the creation of automatically annotated data sets. Encrypted traffic currently represents a big challenge for standard monitoring tools, which use mainly unencrypted information extracted from packets. Thus it is an important topic for the scientific community in network security and the professional public. Most network traffic is already encrypted, so it is necessary to explore new sources of information about what is happening on the network. This information is essential for both network operators and security analysts. The aim of this general topic of the dissertation theses is research that uses mainly statistical properties of traffic, which can be calculated in real-time at a speed of above 100Gb/s (using hardware acceleration).

The goal is to research classification and detection algorithms based on machine learning for network processing of IP flows enriched with new statistics and the experimental evaluation of these developed algorithms on the long-term high-speed operation.

The dissertability of the topic is based on the fact that it is a solution to very non-trivial problems, such as processing and filtering large volumes of data, network traffic modeling, finding deviations, identifying attackers, and proper management of mitigation of the detected security incidents. In the field of encrypted traffic analysis, research results from the global scientific community are beginning to emerge, but a sufficiently feasible solution has not yet been published. The basis will be research into the possibilities of using statistical methods, probabilistic models, and artificial intelligence algorithms.

Due to the current speeds of network transmissions and requirements for online monitoring, it is necessary to design and implement algorithms using decomposition into hardware and software and using appropriate hardware acceleration technologies (e.g., FPGA).

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Vojtěch Jirkovský

Department of Software Engineering

doc. Ing. Tomáš Čejka, Ph.D.

Mgr. Rudolf Bohumil Blažek, Ph.D.

Department of Theoretical Computer Science

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Pavel Benáček, Ph.D.

Department of Theoretical Computer Science

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Pavel Benáček, Ph.D.

Department of Theoretical Computer Science

Ing. Tomáš Čejka, Ph.D.

Ing. Pavel Benáček, Ph.D.

Department of Software Engineering

The increasing use of Voice over Internet Potocol (VoIP) in internet telephony comes with a number of security risks. A frequent target of attackers is the Session Initiation Protocol (SIP). This work includes analysis of SIP protocol and more closely describes brute-force attacks which try to breach passwords of VoIP users. The outcome of this thesis is an application that detects these attacks. Description of attacks detected on a live network is also included. The application is implemented as a part of the Network Measurements Analysis (NEMEA) system, which is being developed in CESNET z.s.p.o.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Viktor Černý

Department of Theoretical Computer Science

This thesis deals with automatic recognition of types of devices communicating over a network. Devices in computer networks generate traffic, which can be captured as traffic flows. In my work, I have designed a method which uses traffic flows to classify types of devices. This method consists of measuring statistical properties of traffic flows and using the measured values as an input for support vector machines, an algorithm of machine learning. The main part of this work is focused on implementing this method in the form of a module for the Network Measurements Analysis (NEMEA) system, a software for network traffic analysis and anomaly detection.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Theoretical Computer Science

Denial od Service attacks (DoS) have recently become more frequent and available for everyone. Attacks cause discomfort for common users and may also cause financial loss for service providers or internet service providers. This thesis deals with the detection of volumetric attacks based on real time network flow analysis. It also deals with the emergence of DoS attacks and describes existing solutions. Furthermore, it describes the design of a detection algorithm utilizing historical windows for detection of a sudden increase in traffic size. The detector is implemented as a module for NEMEA developed by CESNET, association of legal entities. Implementation details and testing of the resulting detection program are provided as well.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Viktor Černý

Department of Theoretical Computer Science

Network traffic monitoring is a necessary part of nowadays computer networks administration. Gathered information is not only used to provide basic network functionality and problem detection, but also for security analysis. Due to user privacy and reduction of data volume, approaches based on network flows are used. This work focuses on exporting flow records with application protocol extension. Contribution of this work is a new version of existing open source flow exporter from NEMEA project. This software module was optimized and successfully ported to embedded devices with OpenWrt system. It is possible to create network monitoring probe from low performance cheap home routers and enhance awareness of traffic on network including malicious traffic detection. Besides memory and performance optimizations, the module is extended of capability reading packets from network interface with the libpcap library. Flow cache, that is used to store flow records during the computation, was improved in order to handle application protocol information. The implemented version of the flow exporter contains two new example plugins for parsing HTTP and DNS protocols. In addition, the exporter is now able to export data in the IPFIX format.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Theoretical Computer Science

Assessment of security alerts is a quite difficult task which includes analysis of great amount of events and seeking additional information. One of the systems which handles security events is Network Entity Reputation Database (NERD) developed and led by association CESNET. Based on detected events NERD collects potentially harmful network entities and seeks further relevant information. This bachelor thesis follows up the extension of NERD by gaining additional information about the entities and realization of automatic classification of entities based on their behaviour. The main contribution of this thesis is the design and implementation of the module for classification of entities by the classification rules, which can be configured. The functional and tested solution has been deployed to the production version of NERD system used by security teams.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

DNS (Domain Name System) is a domain name system for translation between domain names and IP addresses. Collection of data from DNS system can be useful for network security. It can help block malware spreading, detect infected hosts, or expand blacklists with malicious domains. The result of this thesis is a system for saving the history of mapping of domain names and IP addresses. The proposed PassiveDNS system imports data from DNS system that are captured from real network communications. Imported data is stored in an aggregate form to avoid the depletion of hardware resources. The system interface allows to access the translation history between individual domain names and specific IP addresses. The system can help detection systems to extend their own databases. The resulting system is integrated into the related projects developed by CESNET a.l.e.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

This thesis deals with the NEMEA system, developed in cooperation of CESNET association and czech universities with the intention of traffic analysis and anomaly detection on CESNET2 network. NEMEA is a modular system, based on real time analysis of network flows. Main goal was to analyze current implementation of NEMEA framework and to design and implement improvements of the libtrap library, based on results of the analysis. The aim was to optimize communication between the most heavily loaded modules, which require high throughput. Essential parts of this thesis are analysis of the libtrap library and redesigning its parts related to data transfer between individual modules. The resulting new version of libtrap has been included in distribution packages of NEMEA framework.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Simona Buchovecká

Department of Computer Systems

This thesis focuses on the analysis of traffic generated by clients communicating with addresses on public blacklists. The main goal was to identify traffic attributes which could be used to differentiate the malicious traffic from benign traffic. The result of this work is a module for the NEMEA system---Evaluator. The module extends the functionality of existing module set blacklistfilter. Evaluator is designed to determine statistics of suspicious traffic and uses results of our measurements to reduce the number of false positive alerts.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Software Engineering

This thesis focuses on creating an interactive console application with the purpose of configuring network devices. This program serves as an alternative to available, but less intuitive solutions. This is achieved mainly by creating a user-friendly interface implemented with the use of the replxx library. The core of the application is a parser generated by the Boost Spirit X3 library. This parser server as an implementation of a generic syntax, which is independent of the type of the configured device. The applications' components are modular, independent of each other, which makes testing very effective.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

This thesis focuses on the network traffic classification and on the creation of a classification module for the NEMEA system. Firstly, the thesis examines the existing tools and classification methods. The theoretical section aims at creating of a classification algorithm along with a classification module for the NEMEA system. The practical section of the thesis describes the creation of the annotated datasets and the module implementation. The final section of the thesis is dedicated to the evaluation of the classification accuracy as well as to the time comlexity of the created module. This thesis resulted in the creation of nine annotated datasets and a fully functional classification module for the NEMEA system, capable of real-time network traffic classification.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

This thesis is about design and implementation of the PassiveAutodiscovery module, which receives information about devices and determines their role in network. Module is designed for an existing network modular system NEMEA. The theoretical part contains a description of how the module obtains information about devices from the network and the practical part contains the design and implementation of the resulting module. The test results confirm functionality and show the time and memory demands of the whole module. Thanks to PassiveAutodiscovery, the user receives basic information about all devices communicating on the measured network, the role of the user in this network, interconnection between devices and network statistics.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Jan Tomášek

Department of Software Engineering

The thesis Support of Microsoft Windows Server in the Czech eduroam Federation contributes to easily use platform Windows Server as a RADIUS server in the Czech eduroam federation. Service eduroam allows students, researchers, and staff from participating institutions to obtain Internet connectivity by Wi-Fi mostly. An institution connecting to eduroam has to run its own RADIUS server. The goal of this thesis was to make an analysis of requirements for connecting an institution to eduroam and inspect the technical capabilities Windows Server offers. Base on these experiences was made a virtual infrastructure RADIUS servers. There were various types of connections and configurations tested. After testing gained experiences in the practical part of the thesis, I extended documentation on the website eduroam.cz.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Department of Digital Design

The thesis is focusing on the issue of state monitoring of network devices. The main goal is to evaluate the newer method of monitoring using Model-Driven Telemetry in comparison with the older method based on the SNMP protocol. The result is a testing collector for collecting, storing and displaying monitored data. Cisco devices are the primary source of data.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Jan Luxemburk

Department of Computer Systems

The TeamViewer application is one of the most prevalent tools for allowing individuals and organisations alike to utilize remote access to manage remote devices, provide complex support to customers or colleagues or to allow access to resources to users working from home or other remote location. Allowing this level of access, however, poses a severe threat to security and needs to be monitored closely. This thesis analyses the TeamViewer application, fo- cusing on its network traffic. Based on this analysis, the thesis proposes a way to detect TeamViewer communication and distinguish between activi- ties in its encrypted traffic utilizing machine learning. TeamViewer detection reached 99.9 % accuracy, while the experiments distinguishing between activ- ities reached at least 84.9 %.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Karel Hynek, Ph.D.

Department of Theoretical Computer Science

This thesis deals with the detection of the Tor anonymity network and the classification of its traffic using machine learning techniques. Statistical properties of network traffic extracted from the network flow data are used for training a variety of supervised learning models. AdaBoost model was the best performing for both the Tor detection and Tor traffic category classification. Machine learning offers a viable approach to detecting Tor traffic, as the final classifier detected 94 % of Tor samples and was 99 % precise in those decisions, with the F-score being 96 %. The second classifier distinguishes between eight traffic categories and does that with an accuracy of 65 %. The results demonstrate that even though Tor encrypts the traffic, some information about the user's activity can still be revealed.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Jiří Smítka

Department of Computer Systems

This thesis explores the problem of high-speed packet flow pre-filtering and processing on OSI layers 2 and 3 for the network security applications. The Data Plane Development Kit (DPDK) framework was chosen for the implementation of the proof-of-concept infrastructure. The goal of this thesis is to design an infrastructure that will solve the problem of preserving packet flows in the load-balancing between the specific network security applications in the high-speed networks in order of [?]100GiB with the access control lists (ACL). Using the DPDK infrastructure, desired speeds were reached with negligible packet drop rates. The results of this thesis enable to further design high-speed network load-balancers that will preserve the packet flows between the network security applications, thus helping these applications to more accurately analyze packet flows. Source codes used for the prefiltering infrastructure can be found as an attachment to this thesis, together with a sample packet flow generator.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

The monitoring of Internet traffic is becoming a necessity due to the requirements of today's world. In my work, I analyze the WireGuard protocol to develop an algorithm to detect it in network traffic. Moverover, the further goal of this work is to detect the category of the traffic passed inside the encrypted tunnel, without knowing the inner contents. In my work, I find that I can detect the presence of WireGuard from the packet data and create a detector for the ipfixprobe flow collector, which is part of the NEMEA framework for network traffic analysis. However, deep packet inspection requires the traffic content to be parsed and is insufficient to reveal the type of traffic contained within. That is where machine learning (ML) comes in. I collected seven (7) categories of data, both in cleartext and encapsulated in the WireGuard protocol. Then, I used several different ML classification algorithms, specifically AdaBoost and LightGBM, to train a decision tree that forms the basis of my models. They are trained to detect both whether the traffic is WireGuard or not and to detect the type of traffic (such as VoIP or web browsing). The result of my work is a functional processing plugin for ipfixprobe, the parameters of machine-learned models trained to detect WireGuard and various classes of traffic from IP flow characteristics, an evaluation of the throughput and precision of the software, and also a traffic dataset.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Tomáš Herout

Department of Computer Systems

Ing. Tomáš Čejka, Ph.D.

Ing. Vojtěch Jirkovský

Department of Software Engineering

This thesis deals with development and extension of NetopeerGUI -- web graphical user interface for network devices management and configuration. NetopeerGUI can communicate with any device which supports NETCONF protocol. NetopeerGUI is an open-source NETCONF client, published on GitHub. NetopeerGUI comes with an easy and intuitive way of device configuration. It hides the internal commands of NETCONF protocol and transforms the configuration into a user friendly look. It simplifies the configuration thanks to an intuitive user interface. It comes with extended possibilities of device configuration and with modularity of the whole application. System NetopeerGUI is implemented in PHP using Symfony2 framework and communicates with Apache web server with mod_netconf module. The system was tested by different test levels. One of them was user testing of app behavior.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Tomáš Herout

Department of Computer Systems

A huge increase of network traffic requires increasing security because of risks of possible financial losses and cases of privacy breach. In Voice over Internet Protocol (VoIP) technology the financial losses can be significant. This text is aimed on security of VoIP particularly security of SIP against scanning attacks and Denial of Service (DoS) attacks. Scanning attacks can be used to get information about network, about devices supporting SIP and about SIP users. DoS attacks can be used to slow down or prevent processing of SIP messages on an attacked device. The detection procedure is based on time series analysis.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Mgr. Rudolf Bohumil Blažek, Ph.D.

Department of Computer Systems

The master thesis describes design and implementation of method for pro- cessing information about network flow. The information is used to generate and preserve graph for communication between network nodes or agregated nodes (subnetworks). The graph is kept in current state by almost real time information processing. The thesis includes design of use for graph structures for traffic monitoring and anomaly detection. The result of the master thesis is the detection method implemented as a module to the NEMEA system. The analysis of network monitoring, network attacks and statistical methods for processing network informations are included.

Ing. Tomáš Čejka, Ph.D.

Mgr. Rudolf Bohumil Blažek, Ph.D.

Department of Computer Systems

Network Time Protocol (NTP) is used for time synchronization in computer networks. When NTP is insecurely configured, it is possible for attackers to manipulate victim's system time. The aim of this thesis is to verify a vulnerability of the widely-used protocol in a simulation environment. The result of the thesis is a created experimental environment for testing the NTP attacks, design of a working detection mechanism and, finally, an implementation of a detection module that works with flow records that are extended by NTP information. The implemented module was integrated and tested with existing NEMEA system.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Pavel Benáček, Ph.D.

Department of Computer Systems

The main goal of this document is the design and implementation of aggregation module for NEMEA Framework. End user will be able to define rules for the module to progress large amount of information and create aggregated recorde for easier following processing.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Pavel Benáček, Ph.D.

Department of Theoretical Computer Science

High-speed networks usually use flow based approaches for network measurement and anomaly detection. When an event is reported, there is no evidence and no information for event verification. This thesis extends flow based detection approach by packet based detection. The proposed system enables to retrieve traffic of suspicious address involved in the reported event and automatically analyze it by packet based monitoring tools.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Theoretical Computer Science

As the speed and the size of computer networks grow, monitoring systems have to process increasing volume of data. Moreover, because of various kinds of security threats, all data must be processed by many detection methods at the same time with limited computational resources. Therefore, it is necessary to develop scalable solutions of monitoring systems allowing for parallel processing huge volume of data. This thesis uses modular and open-source system NEMEA for research in the field of parallel processing. The thesis deals with design, implementation and testing of NEMEA system extension, that allows for deployment in distributed environment. The extension increases throughput of the system using parallel processing. The paralelization is done by splitting a stream of flow records among computational nodes. Working prototype is implemented as a NEMEA module. The thesis further describes a testing environment used for experiments verifying the characteristics of the working prototype. All experiments were performed using real data traces from NREN CESNET2. The thesis is concluded by introducing a scalable architecture of parallel processing using NEMEA system.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Josef Kokeš

Department of Computer Systems

An intrusion detection systems in computer networks detect more security events than can be manually handled. This thesis is concerned with reduction of these security events, which should help security teams process the detected events. The algorithm is customizable for production deployment with configuration parameters. The proposed system reduces the number of security events to single-digit percentages.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

Adminator is an application that is used to manage the network in the National Library of Technology. The application is responsible for management of DHCP, DNS and dynamic VLAN assignment. The aim of this work is to extend the functionality of the application. Planned extensions are monitoring of active network components and monitoring of network infrastructure wiring. It is planned to add functions which allow you to determine which network sockets are active, what is the configuration of interface and where the selected device have been spotted. Tasks like moving of equipment, detection of incorrectly configured interfaces and finding a device with a faulty power source will be easier due to this features.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

RNDr. Radek Krejčí

Department of Software Engineering

The thesis focuses on creating a new method for configuring the modular NEMEA system that is used to analyze computer network traffic and detect anomalies that may occur. The new solution is based on using the sysrepo project as a configuration datastore and as a medium for communication with the running NEMEA system. The issue was solved by an implementation of a new version of its daemon that manages runtime of all the modules within the NEMEA project. The new daemon was designed to use sysrepo. This approach facilitated building a new web graphical user interface on top of sysrepo allowing to manage the running NEMEA system. To make a deployment easier, the solution was built in an environment created with the Docker technology.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

The diploma thesis deals with increasing amount of web application intrusions and aims to develop a web application intrusion detection module for NEMEA system. The module will be continuously analysing network flows and making decisions based on predefined signatures about whether the network flows show signs of ongoing malicious activity targeting a web application. The benefit of the thesis lies in the ability to gather and share intelligence about ongoing malicious activities in their early stages.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Viktor Černý

Department of Computer Systems

This work is focused on security concerns and issues of the Internet of Things (IoT). The first aim is to analyse the actual situation of IoT and to identify vulnerabilities of the wireless sensor network protocols. The second aim is to develop a tool that is able to detect security incidents in communication traffic. The analytical part describes the fog computing concept and new communication architecture. Simultaneously, there are thoroughly explored current IoT protocols including their vulnerabilities. This is followed by the tool design that is ready for the future extension, which is necessary for this rapidly growing area like IoT. During designing, low hardware requirements were emphasised so that it would be possible to deploy the created solution event on IoT gateways with restricted resources. The first result of this work is research of the current IoT state, which is contained in the text of this work. The second result is a modular system that is configurable and customizable for target topology. The created tool is implemented in C++ language and extends the already existing IoT gateway BeeeOn by anomaly detection of the wireless sensor network protocols. The result is a new version of the BeeeOn gateway with the mechanism for attacks detection.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

doc. Ing. Hana Kubátová, CSc.

Department of Computer Systems

Network attacks, especially DoS and DDoS attacks, are a significant threat to all providers of services or infrastructure. The most potent attacks can paralyze even large-scale infrastructures of worldwide companies. The objective of DDoS attacks is usually to flood the target network device or even the network itself with a large number of packets. Such attack results in nondeterministic discarding of network packets. DDoS mitigation strategy based on the recognition of malicious packets is a complex task due to the similarity between legitimate and malicious packets. This thesis proposes a design of a mitigation heuristic which utilizes the knowledge of the so-called reputation score of network entities. The primary objective of this thesis is to integrate the proposed heuristic into a scrubbing center developed by CESNET a.l.e.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

The main part of this thesis is about design and implementation of an aggregation module for the existing network detection system NEMEA. The thesis also describes system environment of the module (i.e., related tools and systems) with existing data format used for representation of flow data. The implementation part of the thesis shows important features of the aggregation module. The functionality and performance of the developed module were evaluated and the test results confirm requirements fulfilment and the ability to process data from high-speed networks.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Viktor Černý

Department of Computer Systems

This thesis deals with implementation of a set of modules for detection of suspicious network traffic with the use of public blacklists. In addition to basic detection, which consists in reporting all network flows, the modules can be used to track additional traffic of clients who communicated with the blacklisted entity. The aim of the thesis is to use the analysis of additionally captured infor- mation about the suspicious clients' traffic for better and more precise decision about the essence/context of communication. This analysis makes it possible to reveal whether the basic detection is not just a false alarm. To capture additional real-time information, a module called adaptive filter, which is one of the main benefits of this thesis, has been created. The work focuses mainly on the use of publicly accessible lists of Command&Control servers as well as on the analysis of the traffic of clients communicating with these servers. All created software tools are part of the open-source NEMEA project, which is used to analyze traffic and detection of security incidents in the national academic network CESNET2.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

This thesis deals with analysis of traffic going from suspicious network addresses and distribution into groups of addresses. The goal of this thesis is to create a system for grouping suspicious network addresses, which are reported together in security reports or show similar behavior. In the thesis, analysis of input data is done along with analysis of systems NERD, NEMEA and Warden. This thesis deals with defining a botnet and division of network attacks. System for grouping suspicious network addresses was designed and implemented in this thesis. This system was tested on test data. System was implemented in Python.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Viktor Černý

Department of Information Security

This thesis analyzes the KRACK attack principle and proposes methods of its detection. Also, it deals with the design, implementation, and testing of a system for detection of the KRACK attack against the 4-way handshake in real-time. In the analytical part of the thesis, first, there are introduced relevant parts of the 802.11 standard which are the target of the attack. Then, the principle of the attack is described, its practical impact and countermeasures. Besides, we map available tools for the detection of device vulnerability to this attack. The thesis is mainly focused on the attack on the 4-way handshake and analyzes the traffic generated during this attack. This malicious traffic is then compared to the standard traffic generated during the 4-way handshake. Based on the monitored traffic and analysis part of the thesis, characteristics for detection of the KRACK attacks are proposed. A system for detection of the 4-way handshake is designed, implemented and successfully tested.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

The goals of this thesis lay among theoretical analysis of the Internet of Things (IoT) concept and its security issues, and practical research and development of a new unique device called "IoT honeypot." The analytical part of the thesis summarizes existing hardware and software solutions and concentrates on Software Defined Radio (SDR) technology, which was used for the de- velopment of IoT honeypot. The developed prototype currently supports a wide-spread Z-Wave protocol. However, the design is universal enough to sup- port other IoT protocols in the future. The motivation of this thesis was to create a device that can collect information about IoT traffic, detect potential attackers, and act as a decoy that complicates attackers to discover and hack real deployed IoT devices, such as sensors, switches, and so on. The result of the thesis is a working IoT honeypot that supports multiple modes of opera- tion (such as passive or interactive mode), and that can be deployed as a part of a Z-Wave infrastructure. It is as a complement to other security tools and mechanisms that increase the security of IoT infrastructure.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Simona Buchovecká

Department of Information Security

Visibility into network traffic is an essential part of network security and security analysis. However, current existing tools usually provide only low-level technical information about the communication of devices. This diploma's thesis explores the possibilities of using several information sources on local networks to deliver high-level meaning and purpose of a network connection that is more understandable by the majority of users. Specifically, this work focuses on combining information from service discovery protocols with traditional IP flow data. As a result, the developed software prototype of the ACID analyzer module processes several information sources and assigns labels, i.e., activities to the network connections. This approach is much more promising than the currently used tools based on just well-known ports and protocols.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Computer Systems

The aim of this thesis is to provide information in a fully automated manner describing the normal operation of a computer network needed for detection, diagnosis and possible mitigation of DDoS attacks. The resulting network profile, extracted from network flow information, consists of an efficiently encoded set of entities which historically communicated with the profiled network and expected levels of traffic flowing through the network. In the first part, History-based IP filtering, the basis of our historical information subsystem, is introduced and set into a broader context of DDoS attack and mitigation methods. The next part explores various storage options of network communication history with focus on space efficiency. Based on the obtained information, Bloom filters are chosen as the most suitable option. The focus is then shifted towards performance evaluation of forecasting models suitable for prediction of expected levels of traffic on the monitored network. The Prophet forecasting model is selected as the most suitable option due to its precision and robustness. The resulting information system, described in the third part, is composed of two main subsystems providing the two network profile information components: a novel and scalable implementation of History-based IP filtering using Bloom filters as the sole data storage and a forecasting subsystem using the Prophet model. The results of a performance measurement, described in the last chapter, show that the implemented system is suitable even for deployments on networks communicating with over a hundred million of distinct network entities which vastly exceeds requirements for its intended deployment.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Information Security

Today, the majority of larger organisations have their own security team whose job is to analyse the network traffic and handle security incidents which could endanger the operation of said organisation. Even though many tools for automatic detection of security incidents exist today, the role of a human analyst is still irreplaceable. Network traffic visualisation tools are capable of showcasing a large amount of data parallelly, utilising the perceptive and cognitive abilities of the analyst who is able to detect various anomalies and unusual traffic patterns visually. The master's thesis addresses the development of a tool for interactively visualising values assigned to IP addresses. Hilbert curve is used for the visualisation as it groups nearby network addresses and ranges together and can present the IPv4 space. For example, the visualisation will help the members of security teams locate address blocks, from which the extensive amounts of harmful traffic originate, thus enables them to react to those situations efficiently. The developed tool is functional, tested on data from the NERD system and deployed as a web service for the members of security teams to be used.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Department of Information Security

This work focuses on usage of P4 high-level language for generation of network security applications. Usage is demonstrated by writing new flow exporter that is based on existing exporter flow_meter. Existing exporter and P4 language are analyzed and key architecture components are identified. These components are packet parser, flow cache, IPFIX flow export component and application protocols parsing plugins. Work proposes proper design of these components by P4 programming constructs. P4 program can be afterwards compiled into C source codes of flow exporter by P4 compiler that contains backend created by this work. Measurements and evaluation show that the created new version of flow exporter is faster than the original one. In addition, it is more flexible and can support much more protocols, since it is automatically generated from P4 language. It is possible to simply add new protocols, change algorithm of flow creation in flow cache, modify flow record and create new application protocols parsing plugins. Generated components were measured separately and were generally slower than their hand optimized versions in existing exporter.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Karel Hynek

Department of Computer Systems

This thesis deals with the possibilities of VPN detection in a network traffic because VPN can be misused to bypass traffic control or for data exfiltration. Based on captured samples of VPN communication, the thesis designs and tests various VPN detection methods. The thesis then implements the detection methods, discusses their advantages and disadvantages and the requirements for their proper functioning. Finally, the thesis tests the detection capabilities of individual detection methods and compares them.

Thesis on DSpace

Ing. Tomáš Čejka, Ph.D.

Ing. Simona Buchovecká

Department of Information Security

This thesis deals with diagnostics of ICS and IoT protocols, specifically CoAP and IEC 61850, using diagnostic engine Distance. It contains an analysis of the aforementioned protocols, analysis of possible error states, and description of security risks. Subsequently, it describes diagnostic engine Distance and the process of creating its rules - configuration files. The core of this work is a detailed study of the protocols, and their possible error states. From this analysis, it subsequently derives diagnostic rules, which describe the protocol as precisely as they can, and they also try to discover possible misconfiguration problems or security incidents. The product of this thesis are Distance configuration files for protocols CoAP and IEC 61850. These files were tested on self-generated and production network traffic.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Simona Fornůsek, Ph.D.

Department of Information Security

This thesis deals with design and implementation of the tool for online packet analysis of network traffic. Main goal is to provide necessarily informations for administrator to ensure, that he can set defence mechanisms for mitigation of DDoS attacks. Tool provides overview of actual structure of the network traffic. It can also identify and recommend mitigation rules to suppress DDoS attack, based on characteristics of volumetric DDoS attacks. Tool for saving data for analysis is using special probability data structures, called sketch, which can effectively store great amount of data with low memory requirements. Performance and functionality of the tool was tested in lab over test data with speed reaching up to 100 Gb/s.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

Ing. Karel Hynek, Ph.D.

Department of Information Security

The Tor project is a well-known anonymization technology. The communication using Tor is based on multiple layers of encryption and randomized routes, which should guarantee a high level of privacy. However, this thesis shows that the privacy of Tor is quite limited when surveillance systems adopt deep learning techniques and observe both client's and target's traffic. The outcome of this thesis is a Deep Learning based classification model (Convolutional Neural Network) that was evaluated using comprehensive experiments with new Tor datasets captured from real network traffic. The proposed algorithm is able to decide (with accuracy higher than 90%), whether the two connections observed in different places belong to the same communication between the client and the server. The positive result discloses a particular target of a client, thus represents a possible privacy weakness of the whole anonymization process. Compared to the existing works, the developed model is able to work with extended IP flow data, instead of full packet traces.

Thesis on DSpace

doc. Ing. Tomáš Čejka, Ph.D.

doc. Ing. Kamil Dedecius, Ph.D.

Department of Information Security

In this thesis we focus on development of a method of detection periodic behaviour in time series from network traffic, especially encrypted, represented by network flows. We also discuss utilization of detected periodicity behaviour to get information about application, service or operating system that generate network traffic.

Thesis on DSpace