Vhodná strategie pro detekci bezpečnostních incidentů v průmyslových sítích / Appropriate strategy for security incident detection in industrial networks

Kuchař, Karel

January 2020

This diploma thesis is focused on problematics of the industrial networks and offered security by the industrial protocols. The goal of this thesis is to create specific methods for detection of security incidents. This thesis is mainly focused on protocols Modbus/TCP and DNP3. In the theoretical part, the industrial protocols are described, there are defined vectors of attacks and is described security of each protocol. The practical part is focused on the description and simulation of security incidents. Based on the data gathered from the simulations, there are identified threats by the introduced detection methods. These methods are using for detecting the security incident an abnormality in the network traffic by created formulas or machine learning. Designed methods are implemented to IDS (Intrusion Detection System) of the system Zeek. With the designed methods, it is possible to detect selected security incidents in the destination workstation.

Využití strojového učení pro detekci anomálií na základě analýzy systémových logů / System Log Analysis for Anomaly Detection Using Machine Learning

Šiklóši, Miroslav

January 2020

Táto diplomová práca sa venuje problematike využitia strojového učenia na detekciu anomálií na základe analýzy systémových logov. Navrhnuté modely sú založené na algoritmoch strojového učenia s učiteľom, bez učiteľa a na hlbokom učení. Funkčnosť a správanie týchto algoritmov sú objasnené ako teoreticky, tak aj prakticky. Okrem toho boli využité metódy a postupy na predspracovanie dát predtým, než boli vložené do modelov strojového učenia. Navrhnuté modely sú na konci porovnané s využitím viacerých metrík a otestované na syslogoch, ktoré modely predtým nevideli. Najpresnejší výkon podali modely Klasifikátor rozhodovacích stromov, Jednotriedny podporný vektorový stroj a model Hierarchické zoskupovanie, ktoré správne označili 93,95%, 85,66% a 85,3% anomálií v uvedenom poradí.

Vyhledávání podobností v síťových bezpečnostních hlášeních / Similarity Search in Network Security Alerts

Štoffa, Imrich

January 2020

Network monitoring systems generate a high number of alerts reporting on anomalies and suspicious activity of IP addresses. From a huge number of alerts, only a small fraction is high priority and relevant from human evaluation. The rest is likely to be neglected. Assume that by analyzing large sums of these low priority alerts we can discover valuable information, namely, coordinated IP addresses and type of alerts likely to be correlated. This knowledge improves situational awareness in the field of network monitoring and reflects the requirement of security analysts. They need to have at their disposal proper tools for retrieving contextual information about events on the network, to make informed decisions. To validate the assumption new method is introduced to discover groups of coordinated IP addresses that exhibit temporal correlation in the arrival pattern of their events. The method is evaluated on real-world data from a sharing platform that accumulates 2.2 million alerts per day. The results show, that method indeed detected truly correlated groups of IP addresses.

Detekce útoku SlowDrop / SlowDrop attack detection

Náčin, Peter

January 2021

The diploma thesis is focused on the detection of a slow DoS attack named SlowDrop. The attack tries to imitate a legitimate person with a slow internet connection and does not show a new strong signature, so the attack is difficult to detect. The diploma thesis is based on the work of Ing. Mazanek in which the SlowDrop attack script was created. At the theoretical level, the issue of DoS attacks is described in general, but also in particular. Furthermore, the work develops methods for solving the problem of SlowDrop attack detection. The methods are then defined in detail and tested in a simulation environment. The practical part describes data analysis, signature detection, anomaly detection using neural networks and a detection script. In all practical parts, the used technologies and solution procedures are described in detail. The specific implementation of the solution and the achieved results are also presented. Finally, the individual results are evaluated, compared individually, but also among themselves. The obtained results show that the attack is detectable using a neural network and by created detection script.

Computation and Application of Persistent Homology on Streaming Data

Moitra, Anindya

January 2020

No description available.

Computer Science

Persistent Homology

Data Stream

Topological Data Analysis

Network Anomaly Detection

Viral Evolution

Computational Genomics

Event Sequence Identification and Deep Learning Classification for Anomaly Detection and Predication on High-Performance Computing Systems

Li, Zongze

12 1900

High-performance computing (HPC) systems continue growing in both scale and complexity. These large-scale, heterogeneous systems generate tens of millions of log messages every day. Effective log analysis for understanding system behaviors and identifying system anomalies and failures is highly challenging. Existing log analysis approaches use line-by-line message processing. They are not effective for discovering subtle behavior patterns and their transitions, and thus may overlook some critical anomalies. In this dissertation research, I propose a system log event block detection (SLEBD) method which can extract the log messages that belong to a component or system event into an event block (EB) accurately and automatically. At the event level, we can discover new event patterns, the evolution of system behavior, and the interaction among different system components. To find critical event sequences, existing sequence mining methods are mostly based on the a priori algorithm which is compute-intensive and runs for a long time. I develop a novel, topology-aware sequence mining (TSM) algorithm which is efficient to generate sequence patterns from the extracted event block lists. I also train a long short-term memory (LSTM) model to cluster sequences before specific events. With the generated sequence pattern and trained LSTM model, we can predict whether an event is going to occur normally or not. To accelerate such predictions, I propose a design flow by which we can convert recurrent neural network (RNN) designs into register-transfer level (RTL) implementations which are deployed on FPGAs. Due to its high parallelism and low power, FPGA achieves a greater speedup and better energy efficiency compared to CPU and GPU according to our experimental results.

HPC

System log

Anomaly Detection

Sequence Mining

Deep Learning

RNN

FPGA

Anomaly Detection in District Heating using a Clustering based approach

Nguyen, Minh-Tung, Baduni, Metjan

January 2021

The global demand for energy has increased in recent years. In Northern Europe and North America, centralized production and distribution of heat energy is commonly regarded as District Heating (DH). Efficient delivery of heat in the DH system is crucial not only for the building dwellers but even for companies that supply such energy. DH efficiency has to overcome several challenges as a result of faults that negatively impact its performance. Data collected from substations can be analyzed to identify potential faults and reduce the associated economic costs. The aim of this study is to use unsupervised machine learning in order to identify potential clusters of buildings in a time series dataset collected from buildings in a medium size Swedish town. We propose to find the anomalies in two ways; firstly, by identifying possible clusters of buildings and finding buildings which do not belong to a cluster, that can constitute potential anomalies. Secondly, by studying how the cluster membership transitions can help us to identify abnormal behavior over different time windows. A data mining experiment has been conducted by analyzing the energy profiles of 90 buildings in a period of 8 weeks for 2017 using the DBSCAN algorithm. Results suggest that winter period is more appropriate for the formation of possible clusters compared to summer period due to less noise encountered in winter. Clustering for every week can tell us more about the anomalies. Last, the periodic transitions between the clusters and the ranking of the clusters based on scaled distance can help us improve the anomaly detection by signalizing us for further inspection.

Anomaly Detection

Data Mining

Unsupervised Machine Learning

Clustering

DBSCAN

Time Series

Information Systems

Statistické metody detekce anomálií datové komunikace / Statistical anomaly detection methods of data communication

Woidig, Eduard

January 2015

This thesis serves as a theoretical basis for a practical solution to the issue of the use of statistical methods for detecting anomalies in data traffic. The basic focus of anomaly detection data traffic is on the data attacks. Therefore, the main focus is the analysis of data attacks. Within the solving are data attacks sorted by protocols that attackers exploit for their own activities. Each section describes the protocol itself, its usage and behavior. For each protocol is gradually solved description of the attacks, including the methodology leading to the attack and penalties on an already compromised system or station. For the most serious attacks are outlined procedures for the detection and the potential defenses against them. These findings are summarized in the theoretical analysis, which should serve as a starting point for the practical part, which will be the analysis of real data traffic. The practical part is divided into several sections. The first of these describes the procedures for obtaining and preparing the samples to allow them to carry out further analysis. Further described herein are created scripts that are used for obtaining needed data from the recorded samples. These data are were analyzed in detail, using statistical methods such as time series and descriptive statistics. Subsequently acquired properties and monitored behavior is verified using artificial and real attacks, which is the original clean operation modified. Using a new analysis of the modified traffics compared with the original samples and an evaluation of whether it has been some kind of anomaly detected. The results and tracking are collectively summarized and evaluated in a separate chapter with a description of possible further attacks, which were not directly part of the test analysis.

Sběr dat a detekce anomálií přes mobilní zařízení / Mobile Based Data Acquisition and Anomaly Detection

Ondrášek, Michael

January 2015

The work deals with the implementation of the specific architecture to detect anomalies in the classroom or in commercial use. The system consists of three parts: Measurement module, mobile applications and server part. Transmission between the measuring module of the server and the evaluation is carried out simultaneously with the visuals on the mobile device. All system components are implemented with the minimum cost and maximum expandability. All the necessary computing power is concentrated in the server part because of usability with multiple simultaneously operating mobile clients. Emphasis is placed on the solution architecture and the possibility of using the system as a whole, or selected portions separately. Finally, experiments are designed for the presentation of selected methods for anomaly detection.

Detekce škodlivých domén za pomoci analýzy pasivního DNS provozu / Detection of Malicious Domains Using Passive DNS Analysis

Doležal, Jiří

January 2014

Tato diplomová práce se zabývá detekcí škodlivých domén za pomoci analýzy pasivního DNS provozu, návrhem a implementací vlastního systému detekce. Provoz DNS se stává terčem mnoha útočníků, kteří využívají toho, že služba DNS je nezbytná pro fungování Internetu. Téměř každá internetová komunikace totiž začíná DNS dotazem a odpovědí. Zneužívání služby DNS nebo využívání slabin této služby se projevuje anomálním chováním DNS provozu. Tato práce obsahuje popis různých metod používaných pro odhalování anomálií a škodlivých domén v DNS datech. Hlavní částí práce je návrh a implementace systému pro detekci škodlivých domén. Implementovaný systém byl testován na DNS datech získaných z reálného provozu.