Modeling and Recognizing Network Scanning Activities with Finite Mixture Models and Hidden Markov Models / Modélisation et reconnaissance des activités de balayage du réseau à l'aide de modèles à mélange fini et de modèles de Markov cachés

De Santis, Giulia

20 December 2018

Le travail accompli dans cette thèse a consisté à construire des modèles stochastiques de deux scanners de l'Internet qui sont ZMap et Shodan. Les paquets provenant de chacun des deux scanners ont été collectés par le Laboratoire de Haute Sécurité (LHS) hébergé à Inria Nancy Grand Est, et ont été utilisés pour construire par apprentissage des chaînes de Markov cachées (HMMs). La première partie du travail consistait à modéliser l'intensité des deux scanners considérés. Nous avons cherché à savoir si l'intensité de ZMap varie en fonction du service ciblé et si les intensités des deux scanners sont comparables. Les résultats ont montré que la réponse à la première question est positive (c'est-à-dire que l'intensité de ZMap varie en fonction des ports ciblés), alors que la réponse à la deuxième question est négative. En d'autres termes, nous avons obtenu un modèle pour chaque ensemble de logs. La partie suivante du travail consistait à étudier deux autres caractéristiques des mêmes scanners : leurs mouvements spatiotemporels. Nous avons créé des ensembles d'échantillons de logs avec chacune d'elle contient une seule exécution de ZMap et Shodan. Ensuite, nous avons calculé les différences d'adresses IP ciblées consécutivement par le même scanner (c.-à-d. dans chaque échantillon), et les timestamps correspondants. Les premiers ont été utilisés pour modéliser les mouvements spatiaux, tandis que les seconds pour les mouvements temporels. Une fois que les modèles de chaînes de Markov cachées sont construites, ils ont été appliqués pour identifier les scanners d'autres ensembles de logs. Dans les deux cas, nos modèles ne sont pas capables de détecter le service ciblé, mais ils détectent correctement le scanner qui génère de nouveaux logs, avec une précision de 95% en utilisant les mouvements spatiaux et de 98% pour les mouvements temporels / The work accomplished in this PhD consisted in building stochastic models of ZMap and Shodan, respectively, two Internet-wide scanners. More in detail, packets originated by each of the two considered scanners have been collected by the High Security Lab hosted in Inria, and have been used to learn Hidden Markov Models (HMMs). The rst part of the work consisted in modeling intensity of the two considered scanners. We investigated if the intensity of ZMap varies with respect to the targeted service, and if the intensities of the two scanners are comparable. Results showed that the answer to the first question is positive (i.e., intensity of ZMap varied with respect to the targeted ports), whereas the answer to the second question is negative. In other words, we obtained a model for each set of logs. The following part of the work consisted in investigating other two features of the same scanners: their spatial and temporal movements, respectively. More in detail, we created datasets containing logs of one single execution of ZMap and Shodan, respectively. Then, we computed di erences of IP addresses consecutively targeted by the same scanner (i.e., in each sample), and of the corresponding timestamps. The former have been used to model spatial movements, whereas the latter temporal ones. Once the Hidden Markov Models are available, they have been applied to detect scanners from other sets of logs. In both cases, our models are not able to detect the targeted service, but they correctly detect the scanner that originates new logs, with an accuracy of 95% when exploiting spatial movements, and of 98% when using temporal movements

Activités du scanning des réseaux

Modèles de Markov cachés

Scanners des réseaux

Zmap

Shodan

Sécurité de réseaux

Analyse de données

Network Scanning Activities

Zmap

Shodan

Hidden Markov Models

Network Scanners

Network Security

Data Analysis

005.8

Analysis of Computer System Incidents and Security Level Evaluation / Incidentų kompiuterių sistemose tyrimas ir saugumo lygio įvertinimas

Paulauskas, Nerijus

10 June 2009

The problems of incidents arising in computer networks and the computer system security level evaluation are considered in the thesis. The main research objects are incidents arising in computer networks, intrusion detection systems and network scanning types. The aim of the thesis is the investigation of the incidents in the computer networks and computer system security level evaluation. The following main tasks are solved in the work: classification of attacks and numerical evaluation of the attack severity level evaluation; quantitative evaluation of the computer system security level; investigation of the dependence of the computer system performance and availability on the attacks affecting the system and defense mechanisms used in it; development of the model simulating the computer network horizontal and vertical scanning. The thesis consists of general characteristic of the research, five chapters and general conclusions. General characteristic of the thesis is dedicated to an introduction of the problem and its topicality. The aims and tasks of the work are also formulated; the used methods and novelty of solutions are described; the author‘s publications and structure of the thesis are presented. Chapter 1 covers the analysis of existing publications related to the problems of the thesis. The survey of the intrusion detection systems is presented and methods of the intrusion detection are analyzed. The currently existing techniques of the attack classification are... [to full text] / Disertacijoje nagrinėjamos incidentų kompiuterių tinkluose ir kompiuterių sistemų saugumo lygio įvertinimo problemos. Pagrindiniai tyrimo objektai yra incidentai kompiuterių tinkluose, atakų atpažinimo sistemos ir kompiuterių tinklo žvalgos būdai. Disertacijos tikslas – incidentų kompiuterių tinkluose tyrimas ir kompiuterių sistemų saugumo lygio įvertinimas. Darbe sprendžiami šie pagrindiniai uždaviniai: atakų klasifikavimas ir jų sunkumo lygio skaitinis įvertinimas; kompiuterių sistemos saugumo lygio kiekybinis įvertinimas; kompiuterių sistemos našumo ir pasiekiamumo priklausomybės nuo sistemą veikiančių atakų ir joje naudojamų apsaugos mechanizmų tyrimas; modelio, imituojančio kompiuterių tinklo horizontalią ir vertikalią žvalgą kūrimas. Disertaciją sudaro įvadas, penki skyriai ir bendrosios išvados. Įvadiniame skyriuje nagrinėjamas problemos aktualumas, formuluojamas darbo tikslas bei uždaviniai, aprašomas mokslinis darbo naujumas, pristatomi autoriaus pranešimai ir publikacijos, disertacijos struktūra. Pirmasis skyrius skirtas literatūros apžvalgai. Jame apžvelgiamos atakų atpažinimo sistemos, analizuojami atakų atpažinimo metodai. Nagrinėjami atakų klasifikavimo būdai. Didelis dėmesys skiriamas kompiuterių sistemos saugumo lygio įvertinimo metodams, kompiuterių prievadų žvalgos būdams ir žvalgos atpažinimo metodams. Skyriaus pabaigoje formuluojamos išvados ir konkretizuojami disertacijos uždaviniai. Antrajame skyriuje pateikta sudaryta atakų nukreiptų į kompiuterių... [toliau žr. visą tekstą]

Electronics and Electrical Engineering

Computer system security

Security level evaluation

Network scanning

Intrusion detection system

Computer system incidents

Kompiuterių sistemų saugumas

Saugumo lygio įvertinimas

Tinklo žvalga

Atakų atpažinimo sistmos

Incidentai kompiuterių sistemose

Detekce síťových útoků pomocí nástroje Tshark / Detection of Network Attacks Using Tshark

Dudek, Jindřich

January 2018

This diploma thesis deals with the design and implementation of a tool for network attack detection from a captured network communication. It utilises the tshark packet analyser, the meaning of which is to convert the input file with the captured communications to the PDML format. The objective of this conversion being, increasing the flexibility of input data processing. When designing the tool, emphasis has been placed on the ability to expand it to detect new network attacks and on integrating these additions with ease. For this reason, the thesis also includes the design of a complex declarative descriptions for network attacks in the YAML serialization format. This allows us to specify the key properties of the network attacks and the conditions for their detection. The resulting tool acts as an interpreter of proposed declarative descriptions allowing it to be expanded with new types of attacks.