Extension of reputation database with information from Passive DNS
Author
Maxmilián Tomáš
Year
2018
Type
Bachelor thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Department
Summary
DNS (Domain Name System) is a domain name system
for translation between domain names and IP addresses.
Collection of data from DNS system can be useful for network security. It can help
block malware spreading, detect infected hosts, or expand blacklists with malicious domains.
The result of this thesis is a system for saving the history of mapping of domain names and IP addresses.
The proposed PassiveDNS system imports data from DNS system that are captured from real network communications.
Imported data is stored in an aggregate form to avoid the depletion of hardware resources.
The system interface allows to access the translation history between individual domain names and specific IP addresses.
The system can help detection systems to extend their own databases.
The resulting system is integrated into the related projects developed by CESNET a.l.e.
Master theses
Analysis and detection of KRACK attack against WiFi infrastructure
Author
Jana Ernekerová
Year
2019
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Reviewers
Ing. Viktor Černý
Department
Summary
This thesis analyzes the KRACK attack principle and proposes methods of its detection. Also, it deals with the design, implementation, and testing of a system for detection of the KRACK attack against the 4-way handshake in real-time. In the analytical part of the thesis, first, there are introduced relevant parts of the 802.11 standard which are the target of the attack. Then, the principle of the attack is described, its practical impact and countermeasures. Besides, we map available tools for the detection of device vulnerability to this attack. The thesis is mainly focused on the attack on the 4-way handshake and analyzes the traffic generated during this attack. This malicious traffic is then compared to the standard traffic generated during the 4-way handshake. Based on the monitored traffic and analysis part of the thesis, characteristics for detection of the KRACK attacks are proposed. A system for detection of the 4-way handshake is designed, implemented and successfully tested.
Automatic detection of suspicious network traffic using blacklists
Author
Filip Šuster
Year
2019
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Reviewers
Ing. Viktor Černý
Department
Summary
This thesis deals with implementation of a set of modules for detection of suspicious network traffic with the use of public blacklists. In addition to basic detection, which consists in reporting all network flows, the modules can be used to track additional traffic of clients who communicated with the blacklisted entity.
The aim of the thesis is to use the analysis of additionally captured infor- mation about the suspicious clients' traffic for better and more precise decision about the essence/context of communication. This analysis makes it possible to reveal whether the basic detection is not just a false alarm. To capture additional real-time information, a module called adaptive filter, which is one of the main benefits of this thesis, has been created. The work focuses mainly on the use of publicly accessible lists of Command&Control servers as well as on the analysis of the traffic of clients communicating with these servers.
All created software tools are part of the open-source NEMEA project, which is used to analyze traffic and detection of security incidents in the national academic network CESNET2.
Informed DDoS mitigation based on reputation
Author
Tomáš Jánský
Year
2018
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Reviewers
doc. Ing. Hana Kubátová, CSc.
Department
Summary
Network attacks, especially DoS and DDoS attacks, are a significant threat to all providers of services or infrastructure. The most potent attacks can paralyze even large-scale infrastructures of worldwide companies. The objective of DDoS attacks is usually to flood the target network device or even the network itself with a large number of packets.
Such attack results in nondeterministic discarding of network packets. DDoS mitigation strategy based on the recognition of malicious packets is a complex task due to the similarity between legitimate and malicious packets. This thesis proposes a design of a mitigation heuristic which utilizes the knowledge of the so-called reputation score of network entities. The primary objective of this thesis is to integrate the proposed heuristic into a scrubbing center developed by CESNET a.l.e.
Universal module for data aggregation in the NEMEA system
Author
Michal Slabihoudek
Year
2018
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Department
Summary
The main part of this thesis is about design and implementation of an aggregation module for the existing network detection system NEMEA. The thesis also describes system environment of the module (i.e., related tools and systems) with existing data format used for representation of flow data. The implementation part of the thesis shows important features of the aggregation module. The functionality and performance of the developed module were evaluated and the test results confirm requirements fulfilment and the ability to process data from high-speed networks.
System for grouping suspicious network addresses
Author
Lenka Stejskalová
Year
2018
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Department
Summary
This thesis deals with analysis of traffic going from suspicious network addresses and distribution into groups of addresses. The goal of this thesis is to create a system for grouping suspicious network addresses, which are reported together in security reports or show similar behavior. In the thesis, analysis of input data is done along with analysis of systems NERD, NEMEA and Warden. This thesis deals with defining a botnet and division of network attacks. System for grouping suspicious network addresses was designed and implemented in this thesis. This system was tested on test data. System was implemented in Python.
Anomaly detection in the traffic of IoT networks
Author
Dominik Soukup
Year
2018
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Reviewers
Ing. Viktor Černý
Department
Summary
This work is focused on security concerns and issues of the Internet of Things (IoT). The first aim is to analyse the actual situation of IoT and to identify vulnerabilities of the wireless sensor network protocols. The second aim is to develop a tool that is able to detect security incidents in communication traffic. The analytical part describes the fog computing concept and new communication architecture. Simultaneously, there are thoroughly explored current IoT protocols including their vulnerabilities. This is followed by the tool design that is ready for the future extension, which is necessary for this rapidly growing area like IoT. During designing, low hardware requirements were emphasised so that it would be possible to deploy the created solution event on IoT gateways with restricted resources.
The first result of this work is research of the current IoT state, which is contained in the text of this work. The second result is a modular system that is configurable and customizable for target topology. The created tool is implemented in C++ language and extends the already existing IoT gateway BeeeOn by anomaly detection of the wireless sensor network protocols. The result is a new version of the BeeeOn gateway with the mechanism for attacks detection.
Detection of attacks that use the HTTP application protocol
Author
Tomáš Ďuračka
Year
2018
Type
Master thesis
Supervisor
Ing. Tomáš Čejka, Ph.D.
Department
Summary
The diploma thesis deals with increasing amount of web application intrusions and aims to develop a web application intrusion detection module for NEMEA system. The module will be continuously analysing network flows and making decisions based on predefined signatures about whether the network flows show signs of ongoing malicious activity targeting a web application. The benefit of the thesis lies in the ability to gather and share intelligence about ongoing malicious activities in their early stages.