Detekce a izolace útočníků pomocí záznamů NetFlow / Detection and Isolation of Attackers Using Neflow Data

Grégr, Matěj

Unknown Date

This thesis deals with using NetFlow records for detection network scanning. Anonymized NetFlow records from backbone VUT network are used as the source. Based on statistics created from these records, several Bash and Python scripts are implemented. With these scripts it is possible to detect network scanning even in large academics networks.

Network Monitoring on Large Networks

Wei, Chuan-pi

06 July 2004

There seems to be more security events happening on the network nowadays, so the administrators have to be able to find the malicious activities in progress as soon as possible in order to launch effective and efficient countermeasures. The Network administrators need to monitor the networks through collecting real time traffic measurement data on their networks, but they might find that the data gathered seems to be too little or too much detail. SNMP-based tools traditionally adopted most often give too little. However, packet sniffing tools investigate too much, so that the performance is sacrificed, especially on a large network with heavy traffic. Flows are defined as a series of packets traveling between the two communicating end hosts. Flow profiling functionality is built into most networking devices today, which efficiently provide the information required to record network and application resource utilization. Flow strikes a balance between detail and summary. NetFlow is the de facto standard in flow profiling. We introduce¡A describe¡Aand investigate its features, advantages, and strengths. Many useful flow-related tools are freely available on the Internet. A mechanism is proposed to make use of the flow logs to monitor the network effectively and efficiently. Through verification, it is believed that using flow logs can benefit the network administrator so much. The administrators can use them for timely monitoring, DoS and worm propagation detection, forensics et al.

NetFlow

worm propagation

flow profiling

network monitoring

DoS

security forensics

A NetFlow Based Internet-worm Detecting System in Large Network

Wang, Kuang-Ming

04 September 2005

Internet-worms are a major threat to the security of today¡¦s Internet and cause significant worldwide disruptions, a huge number of infected hosts generating overwhelming traffic will impact the performance of the Internet. Network managers have the duty to mitigate this issue . In this paper we propose an automated method for detecting Internet-worm in large network based on NetFlow. We also implement a prototype system ¡V FloWorM which can help network managers to monitor suspect Internet-worms activities and identify their species in their managed networks. Our evaluation of the prototype system on real large and campus networks validates that it achieves pretty low false positive rate and good detecting rate.

NetFlow

network security

network anomaly detection

Internet-worms

Monitorování a účtování spojení v sítích IMS / Session Monitoring and Accounting in IMS Networks

Karpíšek, Filip

January 2015

This thesis describes protocols used in IP Multimedia Subsystem (IMS) networks. Freely available implementations of IMS system are described. The main goal is to describe design and implementation of a tool for analyzing communication between users and IMS system. The tool seeks and decodes signaling messages. These messages are analyzed for information about sessions which are necessary for session monitoring and accounting. Final gathered information are exported in a form of extended NetFlow/IPFIX records. We used open-source Open IMS Core implementation for building IMS network and creating test data. As endpoints we used another open-source application for Android OS called IMSDroid.

Detekce slovníkových útoků na síťové služby analýzou IP toků / Detection of Dictionary Attacks on Network Services Using IP Flow Analysis

Činčala, Martin

January 2015

Existing research suggests that it is possible to detect dictionary attacks using IP flows. This type of detection was successfully implemented for SSH, LDAP and RDP protocols. To determine whether it is possible to use the same methods of detection for e-mail protocols virtual test environment was created. I deduced the characteristics of attacks in flows from the data, which I gained from this virtual environment. Than I chose the statistical value that separates the attacks from legitimate traffic. Variance of specific flow parameters was chosen as main characteristic of attacks. IP addresses with flows that have small variance of chosen parameters and high frequency of packet arrival are considered untrustworthy. Variance is calculated from IP history to rule out false positives. The IP history of legitimate user contains variation of flows which prevents marking this IP address as dangerous. On the basis of this principal the script, which detects the attacks from the nfdump output, was created. The success of detection of the attacks was tested on classificated data from the real environment. The results of tests showed, that with good configuration of marginal values the percentage of detected attacks is high and there are no false positives. Detection is not limited only on mail protocols. With regard to universal design, the script is able to detect dictionary attacks on SSH, LDAP, SIP, RDP, SQL, telnet and some other attacks.

Validace parametrů sítě založená na sledování síťového provozu / Validation of Network Parameters Based on Network Monitoring

Martínek, Radim

January 2011

The Master's Thesis presents a theoretical introduction, familiarization with the issue and a implementation for a solution of a "network parameter validation" tool, which is founded on principle of network traffic monitoring. Firstly, the current development of computer network setup is analyzed with its limitations. This is an initial point for an introduction of a new approach for implementation and verification of required network setting, which uses techniques of verification, simulation and validation. After the introduction into the context, validation techniques are specifically examined. The Thesis main contribution lies in the capacity to determine appropriate parameters, which can be used for validation and also for implementation of the tool, which ensures validation process. The network traffic, which characterizes the behavior of the network, is collected by NetFlow technology, which generates network flows. These flows are consequently used by the designed tool used for validation of required network parameters. This process overall verifies whether the main computer network requirements have been met or not.

Návrh architektury sondy pro monitorování síťových toků / Design of Probe for Flow Based Monitoring

Soľanka, Lukáš

Unknown Date

This thesis deals with design and implementation of a flow based monitoring probe. The monitoring task performed by the probe is divided into hardware layer, which is capable of measurement at high packet rates, and software layer, which provides large memory for flow storage. Analysis done in the work shows that this concept offers many advantages when compared to software based flow monitoring applications. The probe is designed to be used with a hardware accelerator card and offers high flexibility and performance by a way of user defined monitoring process. The designed system has been implemented and thoroughly tested and is ready for deployment for tasks such as  operational monitoring, network traffic classification, anomalies and attacks detection and many others.

Content Agnostic Malware Detection in Networks / Paketinhaltsunabhängige Schadsoftwareerkennung in Netzwerken

Tegeler, Florian

08 May 2012

No description available.

004 Informatik

AH

Mathematics and Computer Science

Sicherheit

Schadsoftware Erkennung

NetFlow Analyse

BotFinder

Bots

Security

Malware Detection

NetFlow Analysis

BotFinder

Bots

54.38

En stabs nätverkstrafik : En analys av användningen av datornätverkskapacitet i en operativ stab under övningen VIKING 11

Gradh, Anders

January 2015

FM köpte satellitkapacitet för närmare 20 miljoner kronor under 2014 för utbildning, övning och internationella operationer. Enligt HKV räcker dock inte upphandlad kapacitet för att täcka behoven ute hos förbanden. Syftet med denna studie är att ta reda på mer hur kapacitetsanvändningen ser ut vid en operativ stab utifrån deras arbete och därigenom se om det finns någon militär nytta att vinna kopplad till kapacitetsanvändning. Utgångspunkten för arbetet är insamlad information om datornätverkstrafiken i de olika nätverken. Detta kvantitativa data jämförs med stabens arbete utifrån kvantitativ och kvalitativ data i krigsdagbok, styrdokument och deltagande studie. Studien visar på att kapacitetsanvändningen ej är relaterad till stabens arbete utan snarare är kopplad till när personal är på plats och personalens internetanvändning. Studien pekar på att det kan finnas en potential att få mer militär nytta, dock måste mekanismer för prioritering i nätverket införas och vidare studier avseende trafiken genomföras. / In 2014 the Swedish Armed Forces (SwAF) spent almost SEK 20 million on the procurement of satellite capacity for use during training, exercises and operations. However, according to SwAF Headquarters, the capacity procured did not meet unit demands. The aim of this study is to gain a better understanding of the capacity usage in an operational headquarters, based on the headquarters’ staff procedures and to see if there is any military utility to be gained in connection with this capacity. The starting point for the study is quantitative data about network usage. This quantitative data is then compared with staff work based on quantitative and qualitative data from war diaries, governing documentation and studies. The study shows that capacity usage is not related to staff work, but is instead linked to the presence of staff and their use of the Internet. The study also indicates that there could be potential for greater military utility of network capacity, but this will require the introduction of network priority mechanisms and further studies into user traffic.

Operational

Staff

JCSS

network

capacity

GOP

netflow

Operativ

Stab

JCSS

nätverk

kapacitet

GOP

netflow

VIKING

Information Systems

Communication Systems

Kommunikationssystem

Návrh a implementace síťového kolektoru / Design and implementation of network collector

Bošeľa, Jaroslav

January 2020

This master’s thesis deals with description of information protocol of network flow, mainly definition of Cisco NetFlow version 9. Describes it’s features, message format and attributes of transmitted data. The thesis is primarly focused onto NetFlow v9 transmitted template, which defines fileds and data in consecutive data flow. The essence of the thesis consists in implementation of simple NetFlow v9 parser, which has been programmed in Python prog.language, it’s tests of captured UDP data from file and port capture testing on development server in lab. There is a possibility of saving captured and parsed data into prepared database within implementation as output from capturing.