Pavel Čeleda

Flow monitoring explained: From packet capture to data analysis with NetFlow and IPFIX

Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early 1990s into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of deep packet inspection and flow monitoring have been united into novel monitoring approaches.

Adaptive Multiagent System for Network Traffic Monitoring

Individual anomaly-detection methods for monitoring computer network traffic have relatively high error rates. An agent-based trust-modeling system fuses anomaly data and progressively improves classification to achieve acceptable error rates.

Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement

In this paper we analyze HTTP protocol parsers that provide a web traffic visibility to IP flow. Despite extensive work, flow meters generally fall short of performance goals due to extracting application layer data. Constructing effective protocol parser for in-depth analysis is a challenging and error-prone affair. We designed and evaluated several HTTP protocol parsers representing current state-of-the-art approaches used in today’s flow meters. We show the packet rates achieved by respective parsers, including the throughput decrease (performance implications of application parser) which is of the utmost importance for high-speed deployments. We believe that these results provide researchers and network operators with important insight into application visibility and IP flow.

Network Intrusion Detection by Means of Community of Trusting Agents

We apply advanced agent trust modeling techniques to identify malicious traffic in computer networks. Our work integrates four state-of-the-art techniques from anomaly detection, and combines them by means of extended trust model. Deployment of trust model ensures interoperability between methods, allows cross-correlation of results during various stages of the detection and ensures efficient evaluation of current traffic in the context of historical observations. The goal of the system, which is designed for online monitoring of high-speed network, is to provide efficient tool for targeted runtime surveillance of malicious traffic by network operators. We aim to achieve this objective by filtering out the non-malicious (trusted) part of the traffic and submitting only potentially malicious flows for subsequent semi-automatic inspection.

Agent-Based Network Intrusion Detection System

Ant colony optimization (ACO) algorithm is a metaheuristic and stochastic search technology, which has been one of the effective tools for solving discrete optimization problems. However, there are two bottlenecks for large-scaled optimization problems: the ACO algorithm needs too much time to convergent and the solutions may not be really optimal. This paper proposes a novel ACO algorithm for the multidimensional knapsack problems (MKP), which employs a new pheromone diffusion model and a mutation scheme. First, in light of the preference to better solutions, the association distances among objects are mined in each iteration with top-k strategy. Then, a pheromone diffusion model based on info fountain of an object is established, which strengthens the collaborations among ants. Finally, an unique mutation scheme is applied to optimizing the evolution results of each step. The experimental results for the benchmark testing set of MKPs show that the proposed algorithm can not only get much more optimal solutions but also greatly enhance convergence speed.The paper presents security platform based on agents as an efficient and robust solution for high-performance intrusion detection system designed for deployment on high-speed network links. The proposed detection algorithm is based on extension of trust modeling techniques with representation of uncertain identities, context representation and implicit assumption that significant traffic anomalies are a result of potentially malicious action. The heterogeneous anomaly detection methods are used by cooperating agents and then correlated using a reputation mechanism. To satisfy the performance requirements, wire-speed data acquisition layer is based on hardware-accelerated Net- Flow probes that provide overview of current network traffic. The output of multi-agent detection layer is presented to operator by a dedicated analyst interface agent, which retrieves additional information to facilitate incident analysis. Our performance results illustrate the potential of combination of high-speed hardware with agents-based detection and advanced analyst interface.

Traffic measurement and analysis of building automation and control networks

This paper proposes a framework for a flow-based network traffic monitoring of building automation and control networks. Current approaches to monitor special environment networks are limited to checking accessibility and a state of monitored devices. On the other hand, current generation of flow-based network monitoring tools focuses only on the IP traffic. These tools do not allow to observe special protocols used, for example, in an intelligent building network. We present a novel approach based on processing of flow information from such special environment. To demonstrate capabilities of such approach and to provide characteristics of a large building automation network, we present measurement results from Masaryk University Campus.

Flow-Based Security Issue Detection in Building Automation and Control Networks

The interconnection of building automation and control system networks to public networks has exposed them to a wide range of security problems. This paper provides an overview of the flow data usability to detect security issue in these networks. The flow-based monitoring inside automation and control networks is a novel approach. In this paper, we describe several use cases in which flow monitoring provides information on network activities in building automation and control systems. We demonstrate a detection of Telnet brute force attacks, access control validation and targeted attacks on building automation system network.

Embedded Malware - An Analysis of the Chuck Norris Botnet

This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!

Dependable Networks and Services

The threat landscape is continuously evolving. Large, widespread worm infections are leaving more and more space to more stealthy attacks targeting highly valuable targets. Industrial Control Systems (ICS) are rapidly becoming a new major target of cyber-criminals: ICS are evolving, bringing powerful capabilities into the critical infrastructure environment along with new and yet undiscovered threats. This was pointed out in multiple occasions by security experts and was confirmed by a recent survey carried out by Symantec: according to the survey (http://bit.ly/bka8UF), 53% of a total of 1580 critical infrastructure industries have admitted to being targeted by cyber attacks. The survey implies that the incidents reported by the press over the last several years are nothing but the tip of a considerably larger problem: the vast majority of these incidents has never been disclosed. Moreover, when looking at the few publicly disclosed incidents such as Stuxnet, we see a completely different level of sophistication, compared to traditional malware witnessed in the wild in previous years. This talk will dive into the challenges and the opportunities associated to ICS security research, and on the tools at our disposal to improve our ability to protect such critical environments. Ontology-Driven Dynamic Discovery and Distributed Coordination of a Robot Swarm Niels Bouten, Anna Hristoskova, Femke Ongenae, Jelle Nelis, and Filip De Turck Ghent University Department of Information Technology IBBT Gaston Crommenlaan 8/201, B-9050 Ghent, Belgium {niels.bouten,anna.hristoskova,femke.ongenae, jelle.nelis,filip.deturck}@intec.ugent.be http://ibcn.intec.ugent.be Abstract. Swarm robotic systems rely heavily on dynamic interactions to provide interoperability between the different autonomous robots. In Swarm robotic systems rely heavily on dynamic interactions to provide interoperability between the different autonomous robots. In current systems, interactions between robots are programmed into the applications controlling them. Incorporating service discovery into these applications allows the robots to dynamically discover other devices. However, since most of these mechanisms use syntax-based matching, the robots cannot reason about the offered functionality. Moreover, as contextual information is often not included in the matching process, it is impossible for robots to select the most suitable device under the current context. This paper aims to tackle these issues by proposing a framework for semantic service discovery in a dynamically changing environment. A semantic layer was added to an existing discovery protocol, offering a semantic interface. Using this framework, services can be searched based on what they offer, with services best suiting the current context yielding the highest matching scores.

An investigation into teredo and 6to4 transition mechanisms: Traffic analysis

The exhaustion of IPv4 address space increases pressure on network operators and content providers to continue the transition to IPv6. The IPv6 transition mechanisms such as Teredo and 6to4 allow IPv4 hosts to connect to IPv6 hosts. On the other hand, they increase network complexity and render ineffective many methods to observe IP traffic. In this paper, we modified our flow-based measurement system to involve transition mechanisms information to provide full IPv6 visibility. Our traffic analysis focuses on IPv6 tunneled traffic and uses data collected over one week in the Czech national research and education network. The results expose various traffic characteristics of native and tunneled IPv6 traffic, among others the TTL and HOP limit distribution, geolocation aspect of the traffic, and list of Teredo servers used in the network. Furthermore, we show how the traffic of IPv6 transition mechanisms has evolved since 2010.