Martin Laštovička

A performance benchmark for NetFlow data analysis on distributed stream processing systems

Modern distributed stream processing systems can potentially be applied to real time network flow processing. However, differences in performance make some systems more suitable than others for being applied to this domain. We propose a novel performance benchmark, which is based on common security analysis algorithms of NetFlow data to determine the suitability of distributed stream processing systems. Three of the most used distributed stream processing systems are bench-marked and the results are compared with NetFlow data processing challenges and requirements. The benchmark results show that each system reached a sufficient data processing speed using a basic deployment scenario with little to no configuration tuning. Our benchmark, unlike any other, enables the performance of small structured messages to be processed on any stream processing system.

Exchanging security events: Which and how many alerts can we aggregate?

The exchange of security alerts is a current trend in network security and incident response. Alerts from network intrusion detection systems are shared among organizations so that it is possible to see the “big picture” of current security situation. However, the quality and redundancy of the input data seem to be underrated. We present four use cases of aggregation of the alerts from network intrusion detection systems. Alerts from a sharing platform deployed in the Czech national research and education network were examined in a case study. Volumes of raw and aggregated data are presented and a rule of thumb is proposed: up to 85% of alerts can be aggregated. Finally, we discuss the practical implications of alert aggregation for the network intrusion detection system, such as (in)completeness of the alerts and optimal time windows for aggregation.

Community based platform for vulnerability categorization

Many approaches, such as attack graphs, require knowledge of vulnerabilitys properties such as impact, prereq- uisities, and exploitability. Currently, those properties are either categorized manually or too roughly. We present a program for granular, automated categorization of vulnerability. Further, we present a platform supporting researchers by gathering and sharing raw data about vulnerabilities and community labeled datasets. The source code of our categorization program is available on GitHub.

Enhancing cybersecurity skills by creating serious games

Adversary thinking is an essential skill for cybersecurity experts, enabling them to understand cyber attacks and set up effective defenses. While this skill is commonly exercised by Capture the Flag games and hands-on activities, we complement these approaches with a key innovation: undergraduate students learn methods of network attack and defense by creating educational games in a cyber range. In this paper, we present the design of two courses, instruction and assessment techniques, as well as our observations over the last three semesters. The students report they had a unique opportunity to deeply understand the topic and practice their soft skills, as they presented their results at a faculty open day event. Their peers, who played the created games, rated the quality and educational value of the games overwhelmingly positively. Moreover, the open day raised awareness about cybersecurity and research and development in this field at our faculty. We believe that sharing our teaching experience will be valuable for instructors planning to introduce active learning of cybersecurity and adversary thinking.

CRUSOE: Data Model for Cyber Situational Awareness

Attaining and keeping cyber situational awareness is crucial for the proper incident response, especially in critical infrastructures. Incident handlers need to process heterogeneous data, such as network topology and organisations missions and objectives, to effectively mitigate the threats. The development of tools for attaining cyber situational awareness often faces the problem of effectively obtaining, correlating, and storing such heterogeneous data. In this paper, we present CRUSOE, an extensible layered data model for attaining and keeping information on cyber situational awareness. We conducted interviews with incident handlers from several security teams and evaluated existing requirements on cyber situational awareness to formalise the requirements on the proposed data model so that can be used in todays common network settings. The CRUSOE data model keeps track of missions, systems, networks, hosts, threats, detection and response capabilities, and access control in a network of an organisation. It is also designed to be filled primarily with the data that can be obtained in a semi- or fully-automated fashion in todays common network environments.

Situational Awareness: Detecting Critical Dependencies and Devices in a Network

Large-scale networks consisting of thousands of connected devices are like a living organism, constantly changing and evolving. It is very difficult for a human administrator to orient in such environment and to react to emerging security threats. With such motivation, this PhD proposal aims to find new methods for automatic identification of devices, the services they provide, their dependencies and importance. The main focus of the proposal is to find novel approaches to building cyber situational awareness in an unknown network for the purpose of computer security incident response. Our research is at the initial phase and will contribute to a PhD thesis in four years.

Real-time analysis of NetFlow data for generating network traffic statistics using Apache Spark

In this paper, we present a framework for the real-time generation of network traffic statistics on Apache Spark Streaming, a modern distributed stream processing system. Our previous results showed that stream processing systems provide enough throughput to process a large volume of NetFlow data and hence they are suitable for network traffic monitoring. This paper describes the integration of Apache Spark Streaming into a current network monitoring architecture. We prove that it is possible to implement the same basic methods for NetFlow data analysis in the stream processing framework as in the traditional ones. Moreover, our stream processing implementation discovers new information which is not available when using traditional network monitoring approaches.