Identifying Network Dynamics with Large Access Graph and Case-Based Reasoning

Lin, Yi-Yao

11 July 2002

This study adopts large access graph algorithm and case-base reasoning approach to generalize user access patterns and diagnose network events respectively for facilitating the network management. Large access graph (LAG) algorithm discovers the frequently inter-connections among hosts to provide an overview of network access relation. The case-based reasoning (CBR) system diagnoses the instant network events with the past experience. NetFlow log data collected from the router of the dormitory network of National Sun Yat-Sen University is used for demonstrating these two methods. The evaluation results measured by recall, precision, and accuracy show that these two mechanisms are useful to support the network administer to keep track of network access relations and diagnose the network events.

large access graph

network management

case-based reasoning

NetFlow

case similarity

Kompiuterių tinklo srautų anomalijų aptikimo metodai / Detection of network traffic anomalies

Krakauskas, Vytautas

03 June 2006

This paper describes various network monitoring technologies and anomaly detection methods. NetFlow were chosen for anomaly detection system being developed. Anomalies are detected using a deviation value. After evaluating quality of developed system, new enhancements were suggested and implemented. Flow data distribution was suggested, to achieve more precise NetFlow data representation, enabling a more precise network monitoring information usage for anomaly detection. Arithmetic average calculations were replaced with more flexible Exponential Weighted Moving Average algorithm. Deviation weight was introduced to reduce false alarms. Results from experiment with real life data showed that proposed changes increased precision of NetFlow based anomaly detection system.

Informatics Engineering

Anomaly detection

Exponential weighted moving average

Netflow

Anomalijų aptikimas

Bezpečnostní analýza síťového provozu / Security inspection of network traffic

Kult, Viktor

January 2017

Thesis topic concerns the issue of information security in corporate environments. Literature search includes information obtained by studying articles and literature in the field of information security. Resources were selected with a focus on the security risks, security technologies and legislative regulation. Attention is focused on technology that supports monitoring of communication flows in the data network. Overview of traffic operating a data network provides important information for the prevention or investigation of security incidents. Monitoring also serves as a source of information for the planning of the network infrastructure. It can detect faults or insufficient transmission capacity. The practical part is dedicated to implementation of the monitoring system in the real corporate networks. Part of the experience is the analysis of the network structure and choice of appropriate tools for actual implementation. When selecting tools, you can use the scoring method of multicriterial analysis options. The integration of the monitoring system is also the configuration of active network elements. Subsequent analysis of network traffic provides information about the most active users, most used applications or on the sources and targets of data transmitted. It provides a source of valuable information that can be used in case of failure on the network or security incident. The conclusion is a summary of the results and workflow.

Návrh monitoringu kritické komunikační infrastruktury pro energetickou společnost / A concept of monitoring critical information infrastructure for energetic company

Ševčík, Michal

January 2018

Diploma thesis deals with monitoring critical infrastructure, critical information infrastructure and network monitoring in energetic industry. The goal is to create analytical environment for processing logs from the network, to map the most critical segments of the network and implementation of monitoring and network devices, that increase security and mitigate risks of security events or security incidents

Sběr dat o síťové komunikaci ze zařízení síťové infrastruktury / Acquisition of communication statistical data from network infrastructure devices

Gargulák, Lukáš

January 2012

The diploma thesis describes theory that is needed for application development for acquisition of communication statistical data from network infrastructure devices. Aplication is called SDSKSI. The project compares protocols suitable for this purpose. Finally SNMP protocol was chosen because it is the most common in network devices. SNMP is described in detail. Each SNMP operation has its own practical demonstration. In the project there is also described MIB database and data types of MIB objects. Application is able to create network topology. Then administrator of network can imagine how the network looks like. For each device that support SNMP protocol are periodically collected and stored statistical data which can be exported to the file. For application development were chosen programming languages according to several criteria. Content of the laboratory exercise is presented. At the end of the project there are some system solutions for collecting statistical data. Diploma thesis contents two attachments. The first is containing the full text of laboratory task. The second is DVD disc. Disc is containing ready to boot aplication SDSKSI.

Efektivní detekce síťových anomálií s využitím DNS dat / Effective Network Anomaly Detection Using DNS Data

Fomiczew, Jiří

January 2015

This thesis describes the design and implementation of system for effective detection of network anomaly using DNS data. Effective detection is accomplished by combination and cooperation of detectors and detection techniques. Flow data in NetFlow and IPFIX formats are used as input for detection. Also packets in pcap format can be used. Main focus is put on detection of DNS tunneling. Thesis also describes Domain Name System (DNS) and anomalies associated with DNS.

Detekce pomalých síťových útoků / Detection of Slow Network Attacks

Pacholík, Václav

January 2014

This master's thesis is aimed how can be network traffic monitored using IP flows. The description of NEMEA framework that can be used to build complex intrusion detection system. Following chapters describes port scanning methods and SSH protocol which can be used for remote login to the system, which can be exploited by an attacker. These two areas are intended to be detected in a slow attack manner, when attacker using low attack speed, which he can evade multiple detection methods. Proposed method for detection such attacks is using information from the last few connections. Finally, proposed detection method results are further described.

Detekce síťových útoků pomocí statistických modelů nad netflow daty / Network Attacks Detection Using Statistical Models with Netflow Data

Čegan, Jakub

January 2012

This diploma thesis describes several selected network attacks detection method using statistical models with NetFlow data. First are described several well known and threats for computer networks, which are easily detectable in the NetFlow data. Thesis also introduce and present the NetFlow technology including its protocol and architecture. The theoretical part of the thesis describes statistical methods with focus on the ASTUTE method, that can be used for an anomaly detection. Following part introduces tools used for method implementation as the NfSen plugins. Last parts of the thesis describe in detail implementation of the plugins and following plugins testing which included simulated network attacks.

Návrh architektury sondy pro monitorování síťových toků / Design of Probe for Flow Based Monitoring

Žádník, Martin

Unknown Date

This thesis deals with the design and implementation of a monitoring probe intended for IP flow measurements in high-speed networks. The probe is based on commodity PC and network acceleration card. The monitoring process is partitioned between these two platforms. The thesis explores ways of mapping flow monitoring algorithms to hardware or software implementations. Several improvements are suggested to increase performance and functionality of the probe. Two level memory hierarchy increases the performance whereas autoconfiguration and adaptation of control parameters contribute to its robustness. The definition of variable flow-record allows to customize monitored statistics about the network. Analysis and simulations of proposed architecture indicate that the probe is suitable for monitoring of ten gigabit networks.

Ochrana datové sítě s využitím NetFlow dat / Network Protection Using NetFlow Data

Hlavatý, Ivo

January 2011

This document focuses on Cisco Netflow technology and its possible usage in monitoring networks and detecting network anomalies. Based on the analysis of attacks at the network and transport layer is designed an application for selected security threats which detects its presence. The implementation section provides a system for predicting network traffic and related detecting deviations from the baseline on the basis of statistical data. Use of NetFlow technolgy is demonstrated on examples where the results of other current security and monitoring techniques have failed or did not provide sufficiently good results.