Geolokace a bezpečnost počítačových sítí

Článek seznamuje s problematikou určování geografické polohy uživatelů (zařízení) na Internetu. Na vybraných příkladech jsou uvedeny hrozby využívající geolokaci k novým formám útoků. Závěr je věnován možnostem využití geolokace v oblasti bezpečnosti počítačových sítí a detekce anomálií.This article explains how to determine a geographical location of users (devices) on Internet. Selected examples show threats which use the geolocation for new forms of attacks. Finally the attention is paid to use of geolocation in computer networks security and anomaly detection areas

Threat Detection Through Correlation of Network Flows and Logs

A rising amount of mutually interconnected and communicating devices puts increasing demands on cybersecurity operators and their tools. With the rise of end-to-end encryption, it is becoming increasingly difficult to detect threats in network traffic. With such motivation, this Ph.D. proposal aims to find new methods for automatic detection of threats hiding in encrypted channels. The focus of the proposal is on correlating the data still available in the encrypted network flows with the data contained in the logs of network applications. Our research is in the initial phase and will contribute to a Ph.D. thesis in four years

Cyber Situation Awareness via IP Flow Monitoring

Cyber situation awareness has been recognized as a vital requirement for effective cyber defense. Cyber situation awareness allows cybersecurity operators to identify, understand, and anticipate incoming threats. Achieving and maintaining the cyber situation awareness is a challenging task given the continuous evolution of the computer networks, increasing volume and speeds of the data in a network, and rising number of threats to network security. Our work contributes to the continuous evolution of cyber situation awareness by the research of novel approaches to the perception and comprehension of a computer network. We concentrate our research efforts on the domain of IP flow network monitoring. We propose improvements to the IP flow monitoring techniques that enable the enhanced perception of a computer network. Further, we conduct detailed analyses of network traffic, which allows for an in-depth understanding of host behavior in a computer network. Last but not least, we propose a novel approach to IP flow network monitoring that enables real-time cyber situation awareness

Flow Data Collection in Large Scale Networks

In this chapter, we present flow-based network traffic monitoring of large scale networks. Continuous Internet traffic increase requires a deployment of advanced monitoring techniques to provide near real-time and long-term network visibility. Collected flow data can be further used for network behavioral analysis to indicate legitimate and malicious traffic, proving cyber threats, etc. An early warning system should integrate flow-based monitoring to ensure network situational awareness.Kapitola představuje monitorování síťového provozu v rozsáhlých počítačových sítích založené na IP tocích. Nepřetržitý růst internetového provozu vyžaduje nasazení pokročilých monitorovacích technik, které poskytují v reálném čase a dlouhodobě pohled na dění v síti. Nasbíraná data mohou dále sloužit pro analýzu chování sítě k rozlišení legitimního a škodlivého provozu, dokazování kybernetických hrozeb atd. Systém včasného varování by měl integrovat monitorování síťových toků, aby mohl poskytovat přehled o situaci na síti

Stream-Based IP Flow Analysis

As the complexity of Internet services, transmission speed, and data volume increases, current IP flow monitoring and analysis approaches cease to be sufficient, especially within high-speed and large-scale networks. Although IP flows consist only of selected network traffic features, their processing faces high computational demands, analysis delays, and large storage requirements. To address these challenges, we propose to improve the IP flow monitoring workflow by stream-based collection and analysis of IP flows utilizing a distributed data stream processing. This approach requires changing the paradigm of IP flow data monitoring and analysis, which is the main goal of our research. We analyze distributed stream processing systems, for which we design a novel performance benchmark to determine their suitability for stream-based processing of IP flow data. We define a stream-based workflow of IP flow collection and analysis based on the benchmark results, which we also implement as a publicly available and open-source framework Stream4Flow. Furthermore, we propose new analytical methods that leverage the stream-based IP flow data processing approach and extend network monitoring and threat detection capabilities

Graph-Based CPE Matching for Identification of Vulnerable Asset Configurations

In this manuscript, we propose a graph-based approach for identification of vulnerable asset configurations via Common Platform Enumeration matching. The approach consists of a graph model and insertion procedure that is able to represent and store information about CVE vulnerabilities and different configurations of CPE-classified asset components. These building blocks are accompanied with a search query in Gremlin graph traversal language that is able to find all vulnerable pairs of CVEs and asset configurations in a single traversal, as opposed to a conventional brute-force approach

Revealing and Analysing Modem Malware

In this paper, we provide a formal description of modem malware life cycle. It is included a description of the modem malware evolution (history). We propose a set of techniques to perform detailed analysis of infected modem. We report on modem malware network activities in campus network and we propose NetFlow based detection method to reveal the modem malware spreading.V článku je uveden formální popis životního cyklu malwaru pro modemy. Je popsán evoluční vývoj malwaru pro modemy. Jsou navrženy techniky, které umožňují provádět detailní analýzu infikovaného modemu. Dále uvádíme informace o síťových aktivitách nakažených modemů v univerzitní síti a je navržena metoda využívající NetFlow data pro detekci šíření malwaru pro modemy

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

This paper deals with tunneled IPv6 traffic monitoring and describing IPv6 transition issues. The contribution is a possibility of monitoring what is inside IPv6 tunnels. This gives network administrators a way to detect security threats which would be otherwise considered as harmless IPv4 traffic. This approach is also suitable for long term network monitoring. This is achieved by the usage of IPFIX (IP Flow Information Export) as the information carrying format. The proposed approach also allows to monitor traffic on 10 Gb/s links because it supports hardware-accelerated packet distribution to multiple processors.Článek pojednává o monitorování tunelovaného provozu IPv6, rozbalením paketů a exportu pomocí protokolu IPFIX. V článku je diskutována problematika tunelovacích přechodových mechanismů protokolu IPv6 a prezentováno řešení, které je tento provoz schopno monitorovat i na páteřních linkách o rychlosti 10Gb/s

Identification of Attack Paths Using Kill Chain and Attack Graphs

The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker’s actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator

Dataset of Shell Commands Used by Participants of Hands-on Cybersecurity Training

We present a dataset of 13446 shell commands from 175 participants who attended cybersecurity training and solved assignments in the Linux terminal. Each acquired data record contains a command with its arguments and metadata, such as a timestamp, working directory, and host identification in the emulated training infrastructure. The commands were captured in Bash, ZSH, and Metasploit shells. The data are stored as JSON records, enabling vast possibilities for their further use in research and development. These include educational data mining, learning analytics, student modeling, and evaluating machine learning models for intrusion detection. The data were collected from 27 cybersecurity training sessions using an open-source logging toolset and two open-source interactive learning environments. Researchers and developers may use the dataset or deploy the learning environments with the logging toolset to generate their own data in the same format. Moreover, we provide a set of common analytical queries to facilitate the exploratory analysis of the dataset