Milan Čermák

A performance benchmark for NetFlow data analysis on distributed stream processing systems

Modern distributed stream processing systems can potentially be applied to real time network flow processing. However, differences in performance make some systems more suitable than others for being applied to this domain. We propose a novel performance benchmark, which is based on common security analysis algorithms of NetFlow data to determine the suitability of distributed stream processing systems. Three of the most used distributed stream processing systems are bench-marked and the results are compared with NetFlow data processing challenges and requirements. The benchmark results show that each system reached a sufficient data processing speed using a basic deployment scenario with little to no configuration tuning. Our benchmark, unlike any other, enables the performance of small structured messages to be processed on any stream processing system.

Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting

The growing share of encrypted network traffic complicates network traffic analysis and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. We discuss host-based and network-based methods of dictionary retrieval and estimate the quality of the data. The usability of the proposed method is demonstrated on two case studies of network forensics.

Exchanging security events: Which and how many alerts can we aggregate?

The exchange of security alerts is a current trend in network security and incident response. Alerts from network intrusion detection systems are shared among organizations so that it is possible to see the “big picture” of current security situation. However, the quality and redundancy of the input data seem to be underrated. We present four use cases of aggregation of the alerts from network intrusion detection systems. Alerts from a sharing platform deployed in the Czech national research and education network were examined in a case study. Volumes of raw and aggregated data are presented and a rule of thumb is proposed: up to 85% of alerts can be aggregated. Finally, we discuss the practical implications of alert aggregation for the network intrusion detection system, such as (in)completeness of the alerts and optimal time windows for aggregation.

Enhancing cybersecurity skills by creating serious games

Adversary thinking is an essential skill for cybersecurity experts, enabling them to understand cyber attacks and set up effective defenses. While this skill is commonly exercised by Capture the Flag games and hands-on activities, we complement these approaches with a key innovation: undergraduate students learn methods of network attack and defense by creating educational games in a cyber range. In this paper, we present the design of two courses, instruction and assessment techniques, as well as our observations over the last three semesters. The students report they had a unique opportunity to deeply understand the topic and practice their soft skills, as they presented their results at a faculty open day event. Their peers, who played the created games, rated the quality and educational value of the games overwhelmingly positively. Moreover, the open day raised awareness about cybersecurity and research and development in this field at our faculty. We believe that sharing our teaching experience will be valuable for instructors planning to introduce active learning of cybersecurity and adversary thinking.

A graph-based representation of relations in network security alert sharing platforms

In this paper, we present a framework for graph-based representation of relation between sensors and alert types in a security alert sharing platform. Nodes in a graph represent either sensors or alert types, while edges represent various relations between them, such as common type of reported alerts or duplicated alerts. The graph is automatically updated, stored in a graph database, and visualized. The resulting graph will be used by network administrators and security analysts as a visual guide and situational awareness tool in a complex environment of security alert sharing.

Toward Stream-Based IP Flow Analysis

Analyzing IP flows is an essential part of traffic measurement for cyber security. Based on information from IP flows, it is possible to discover the majority of concurrent cyber threats in highspeed, large-scale networks. Some major prevailing challenges for IP flow analysis include, but are not limited to, analysis over a large volume of IP flows, scalability issues, and detecting cyber threats in real time. In this article, we discuss the transformation of present IP flow analysis into a stream-based approach to face current challenges in IP flow analysis. We examine the possible positive and negative impacts of the transformation and present examples of real-world applications, along with our recommendations. Our ongoing results show that stream-based IP flow analysis successfully meets the above-mentioned challenges and is suitable for achieving real-time network security analysis and situational awareness.

Real-time analysis of NetFlow data for generating network traffic statistics using Apache Spark

In this paper, we present a framework for the real-time generation of network traffic statistics on Apache Spark Streaming, a modern distributed stream processing system. Our previous results showed that stream processing systems provide enough throughput to process a large volume of NetFlow data and hence they are suitable for network traffic monitoring. This paper describes the integration of Apache Spark Streaming into a current network monitoring architecture. We prove that it is possible to implement the same basic methods for NetFlow data analysis in the stream processing framework as in the traditional ones. Moreover, our stream processing implementation discovers new information which is not available when using traditional network monitoring approaches.

On Information Value of Top N Statistics

In the era of Internet of Things (IoT), the volume of the monitored data from IoT network is enormous. However, not all data provide sufficient or relevant information. Since the analysis of big data is both resource and time exhausting, only relevant information should be analysed. In this paper, we scrutinize the widely used Top N statistics and evaluate its information value with respect to gathering information about individual hosts in the network. All theoretical discussions are evaluated on the real-world data. Moreover, we provide an assessment of statistics suitability for identifying a host in network traffic. The results of the paper should assist data analyst of IoT network data.

Detecting Advanced Network Threats Using a Similarity Search

In this paper, we propose ai¾?novel approach for the detection of advanced network threats. We combine knowledge-based detections with similarity search techniques commonly utilized for automated image annotation. This unique combination could provide effective detection of common network anomalies together with their unknown variants. In addition, it offers ai¾?similar approach to network data analysis as ai¾?security analyst does. Our research is focused on understanding the similarity of anomalies in network traffic and their representation within complex behaviour patterns. This will lead to ai¾?proposal of ai¾?system for the real-time analysis of network data based on similarity. This goal should be achieved within ai¾?period of three years as ai¾?part of ai¾?PhD thesis.

Detection of DNS Traffic Anomalies in Large Networks

Almost every Internet communication is preceded by a translation of a DNS name to an IP address. Therefore monitoring of DNS traffic can effectively extend capabilities of current methods for network traffic anomaly detection. In order to effectively monitor this traffic, we propose a new flow metering algorithm that saves resources of a flow exporter. Next, to show benefits of the DNS traffic monitoring for anomaly detection, we introduce novel detection methods using DNS extended flows. The evaluation of these methods shows that our approach not only reveals DNS anomalies but also scales well in a campus network.