Network Protection Using NetFlow Data

Tato práce popisuje zabezpečení datové sítě pomocí technologie NetFlow. V úvodu jsou popsány některé možné hrozby, které mohou datovou síť postihnout a které jsou rozpoznatelné pomocí NetFlow dat. V další části práce jsou navržena určitá detekční pravidla a dvoukrokový způsob detekce pomocí jejich použití. Tato pravidla byla formulována na základě pozorování a experimentů v datové síti.This thesis deals with the using of NetFlow data for computer network protection. First are described some types of network security threats. After study of these threats and many experiments were designed detection rules for them. New detection form were designed too. It is working with two step detection of threats.

Finding Exercise Equilibrium: How to Support the Game Balance at the Very Beginning?

Cyber defence exercises (CDX) represent a popular form of hands-on security training. Learners are usually divided into several teams that have to defend or attack virtual IT infrastructure (red vs. blue teams). CDXs are prepared for learners whose level of skills, knowledge, and background may be unknown and very diverse. This is evident in the case of high-profile international CDXs with hundreds of participants coming from government agencies, military, academia, and the private sector. In this poster, we present techniques of distribution of learners to teams with respect to their level of proficiency and prerequisite skills required by the exercise. Our aim is to reach the balance between the proficiency and the exercise to make the exercise beneficial for the learners and effective investment for sponsors. The poster describes three methods and compares their advantages and disadvantages. First, we present self-assessment questionnaires that we already used in four runs of a national CDX for 80 participants in total. We outline our findings from analysis of self-assessment of learners before and after the exercise, and the score they reached during the exercise. Second, we introduce a promising method of testing prerequisites of the exercise. This is still a work in progress but we believe that this method enables better assessment of learners’ skills with respect to the exercise content, and supports better the game balance. Finally, we compare both methods to a naive one that shuffles participants to the teams randomly

Lessons Learned from KYPO – Cyber Exercise & Research Platform Project

Cyber attacks became significant threat for a critical information infrastructure of a state. In order to face them it is necessary to study them, understand them, and train personnel to recognize them. For this purpose we have developed a KYPO - Cyber Exercise & Research Platform for simulation of numerous cyber attacks. In this paper we present the KYPO platform and first experience gained from Capture the Flag game training.Cyber attacks became significant threat for a critical information infrastructure of a state. In order to face them it is necessary to study them, understand them, and train personnel to recognize them. For this purpose we have developed a KYPO - Cyber Exercise & Research Platform for simulation of numerous cyber attacks. In this paper we present the KYPO platform and first experience gained from Capture the Flag game training

Network Attacks Detection Using Statistical Models with Netflow Data

Diplomová práce popisuje vybrané metody detekce síťových útoků pomocí aplikace statistických modelů nad NetFlow daty. V úvodní části popisuje některé hrozby, které často postihují počítačové sítě a jsou dobře detekovatelné v NetFlow datech. Práce zároveň prezentuje samotnou technologii NetFlow včetně protokolu a architektury. V teoretické části jsou dále podrobně popsány statistické metody použitelné pro detekci útoků s důrazem na metodu ASTUTE. Další část se věnuje představení nástrojů použitých k implementaci metod pomocí pluginů programu NfSen. Následuje podrobný popis implementace pluginů a jejich následného testování včetně provedených simulovaných útoků.This diploma thesis describes several selected network attacks detection method using statistical models with NetFlow data. First are described several well known and threats for computer networks, which are easily detectable in the NetFlow data. Thesis also introduce and present the NetFlow technology including its protocol and architecture. The theoretical part of the thesis describes statistical methods with focus on the ASTUTE method, that can be used for an anomaly detection. Following part introduces tools used for method implementation as the NfSen plugins. Last parts of the thesis describe in detail implementation of the plugins and following plugins testing which included simulated network attacks.

PhiGARo: Automatic Phishing Detection and Incident Response Framework

We present a comprehensive framework for automatic phishing incident processing and work in progress concerning automatic phishing detection and reporting. Our work is based upon the automatic phishing incident processing tool PhiGARo which locates users responding to phishing attack attempts and prevents access to phishing sites from the protected network. Although PhiGARo processes the phishing incidents automatically, it depends on reports of phishing incidents from users. We propose a framework which introduces honey pots into the process in order to eliminate the reliance on user input. The honey pots are used to capture e-mails, automatically detect messages containing phishing and immediately transfer them to PhiGARo. There is a need to propagate e-mail addresses of a honey pot to attract phishers. We discuss approaches to the honey pot e-mail propagation and propose a further enhancement to using honey pots in response to phishing incidents. We propose providing phishers with false credentials, accounts and documents that will grant them access to other honey pot services. Tracing these honey tokens may lead us to the originators of the phishing attacks and help investigations into phishing incidents

KYPO – A Platform for Cyber Defence Exercises

Correct and timely responses to cyber attacks are crucial for the effective implementation of cyber defence strategies and policies. The number of threats and ingenuity of attackers is ever growing, as is the need for more advanced detection tools, techniques and skilled cyber security professionals. KYPO – Cyber Exercise & Research Platform is focused on modelling and simulating complex computer systems and networks in a virtualized and separated environment. The platform enables realistic simulations of critical information infrastructures in a fully controlled and monitored environment. Time-efficient and cost-effective simulation is feasible using cloud resources instead of a dedicated infrastructure. In this paper, we present the KYPO platform and its use cases. We aim to execute current and sophisticated cyber attacks against simulated infrastructure since this is one of the key premises for running successful cyber security training exercises. To make the desirable improvement in the skills of the participants, a powerful storyline for the exercise is essential. Last but not least, we understand that technical skills must be complemented by communication, strategy and other skills for effective cyber defence

Conceptual Model of Visual Analytics for Hands-on Cybersecurity Training

Hands-on training is an effective way to practice theoretical cybersecurity concepts and increase participants’ skills. In this paper, we discuss the application of visual analytics principles to the design, execution, and evaluation of training sessions. We propose a conceptual model employing visual analytics that supports the sensemaking activities of users involved in various phases of the training life cycle. The model emerged from our long-term experience in designing and organizing diverse hands-on cybersecurity training sessions. It provides a classification of visualizations and can be used as a framework for developing novel visualization tools supporting phases of the training life-cycle. We demonstrate the model application on examples covering two types of cybersecurity training programs

Cloud-based Testbed for Simulation of Cyber Attacks

Cyber attacks have become ubiquitous and in order to face current threats it is important to understand them. Studying attacks in a real environment however, is not viable and therefore it is necessary to find other methods how to examine the nature of attacks. Gaining detailed knowledge about them facilitates designing of new detection methods as well as understanding their impact. In this paper we present a testbed framework to simulate attacks that enables to study a wide range of security scenarios. The framework provides a notion of real-world arrangements, yet it retains full control over all the activities performed within the simulated infrastructures. Utilizing the sandbox environment, it is possible to simulate various security attacks and evaluate their impacts on real infrastructures. The design of the framework benefits from IaaS clouds. Therefore its deployment does not require dedicated facilities and the testbed can be deployed over miscellaneous contemporary clouds. The viability of the testbed has been verified by a simulation of particular DDoS attack

Microstructural and magnetic properties of Mn2FeSi and Mn2FeAl alloys prepared in bulk form

Microstructural and magnetic properties of the Mn2FeSi and Mn2FeAl alloys prepared in the bulk form have been investigated. Cylinder-shaped ingots produced by induction melting technique were analyzed in as-quenched state and additionally annealed at 773 K for 5 days in the protective argon atmosphere. The results show that Si and Al have different effects on the microstructural and magnetic properties of the alloys. The Mn2FeAl ingots are single-phase both before and after annealing, and their diffractograms surprisingly correspond not to the Heusler (L21 or XA) but to the primitive cubic β-Mn structure. Conversely, Mn2FeSi alloys show a two-phase behavior in the as-quenched state. From results of X-ray diffraction it was not possible to judge whether Mn2FeSi alloy has the inverse-Heusler (XA) or full Heusler (L21) structure. Annealing of Mn2FeSi leads to the formation of multiple phases. The EDX chemical area analyses resulted in only slight deviations of compositions compared to the nominal ones. The lattice parameters of 0.5672 nm and 0.6339 nm were estimated for the Mn2FeSi and Mn2FeAl samples from X-ray diffraction measurements. From the magnetic viewpoint, all samples are paramagnetic at room temperature and transform into antiferromagnetic state at the N é el temperatures about 50 K and 36 K for Mn2FeSi and Mn2FeAl, respectively. The negative Curie temperatures determined at all samples by Curie-Weiss law indicate an antiferromagnetic ordering of spins. Positron annihilation investigations revealed that Mn2FeSi contains a high concentration of vacancies. The local chemical environment of vacancies characterized by coincidence Doppler broadening is compatible with L21 rather than with XA structure. In contrast vacancy concentration in Mn2FeAl is very low and almost all positrons are annihilated in the free state.Web of Science947art. no. 16967

Magneto-structural correlations in Fe-25 at%Al influenced by substitution of Fe by Co and by thermal treatment

The scanning electron microscopy, X-ray diffraction, positron annihilation spectroscopy, Mossbauer spectrometry, and measurements of magnetic characteristics by vibrating sample magnetometer complemented by theoretical simulations are applied in the present investigations of the Fe-Al-Co alloys with 25 at% Al and Co substituting Fe in amount of 15 at% or 25 at%. The alloys prepared by slightly different technologies resulting in different structural morphologies are subjected to thermal treatment followed by slow cooling and water cooling. It is shown that the alloy with lower Co content and the initial A2 structure is more sensitive to the thermal treatments from the viewpoints of changes in morphology, defects concentration and magnetic properties in comparison to the other one with the initial B2 structure. This is reflected almost in all experimentally obtained results.Web of Science904art. no. 16399