Radek Krejčí

Netflow based system for NAT detection

Revealing the misuse of network resources is one of the important fields in the network security, especially for the network administrators. One of them is the use of unauthorized NAT (Network Address Translation) devices (e.g. small office routers or wireless access points) inside the network which introduces serious security issues. There are several techniques proposed on how to detect NAT devices in the computer networks, but all these methods suffer from high false positive rate. Also there is no study how to perform NAT detection using NetFlow data, often used for monitoring and forensics analysis in large networks. The contribution of our work consists of the following: i) we have transformed existing NAT detection techniques to work with NetFlow data, ii) we propose three new NAT detection approaches, iii) we have designed a prototype of NAT detection system, which aggregates the results from various NAT detection techniques in order to minimize false positive and false negative rates.

Traffic measurement and analysis of building automation and control networks

This paper proposes a framework for a flow-based network traffic monitoring of building automation and control networks. Current approaches to monitor special environment networks are limited to checking accessibility and a state of monitored devices. On the other hand, current generation of flow-based network monitoring tools focuses only on the IP traffic. These tools do not allow to observe special protocols used, for example, in an intelligent building network. We present a novel approach based on processing of flow information from such special environment. To demonstrate capabilities of such approach and to provide characteristics of a large building automation network, we present measurement results from Masaryk University Campus.

Flow information storage assessment using IPFIXcol

Network monitoring has became a significant part of network management. Each environment and type of network have their specific, different needs. To allow network traffic monitoring in various environments, a necessity of flexible approach thus grows. The current generation of flow collectors provides only a limited flexibility, mainly due to limits of their data storage formats. Moreover, it is quite a challenging task to compare particular storage formats and their suitability for the specific environment and usage. In this paper we present IPFIXcol --- a flow collector framework designed for easy data storage formats changing. This way, we plan to evaluate performance and suitability of various data storage formats for specific tasks. Results can be used to build the most appropriate data storage for the specific production environments.

Flow-Based Security Issue Detection in Building Automation and Control Networks

The interconnection of building automation and control system networks to public networks has exposed them to a wide range of security problems. This paper provides an overview of the flow data usability to detect security issue in these networks. The flow-based monitoring inside automation and control networks is a novel approach. In this paper, we describe several use cases in which flow monitoring provides information on network activities in building automation and control systems. We demonstrate a detection of Telnet brute force attacks, access control validation and targeted attacks on building automation system network.

Embedded Malware - An Analysis of the Chuck Norris Botnet

This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!

Managing SamKnows probes using NETCONF

Network Configuration (NETCONF) is being considered by the Internet Engineering Task Force (IETF) as one of the control protocol candidates within the Large-Scale Measurement of Broadband Performance (LMAP) framework. We demonstrate the possibility of managing LMAP Measurement Agent (MA)s using the NETCONF protocol. We have deployed a NETCONF server on one such MA: a SamKnows measurement probe. The server is built around the libnetconf library, and has been heavily optimized to accommodate it to the limitations of the SamKnows hardware.

Configuration of open vSwitch using OF-CONFIG

Software Defined Networking (SDN) became a popular concept where a flexible network architecture is required. One of the widely used approaches to SDN is based on the OpenFlow (OF) protocol that allows controllers to configure OF capable network switches. The OF protocol is focused on a flow-based control of a switch. Besides OF itself, Open Networking Foundation (ONF) has introduced the OF-CONFIG protocol. In contrast, the aim of OF-CONFIG is the configuration of more durable parameters of the controlled switch. However, Open vSwitch (OVS), as the most popular OF switch implementation, uses its own configuration protocol instead of OF-CONFIG. This paper presents results of our analysis of OF-CONFIG and describes design and development of its missing reference implementation. Furthermore, it extends OVS with the OF-CONFIG support, so it provides an opportunity for OF-CONFIG to be more widely used. Our experiences from the analysis and implementation deliver useful feedback to ONF people for further development of OF-CONFIG.

Aspect-based attack detection in large-scale networks

In this paper, a novel behavioral method for detection of attacks on a network is presented. The main idea is to decompose a traffic into smaller subsets that are analyzed separately using various mechanisms. After analyses are performed, results are correlated and attacks are detected. Both the decomposition and chosen analytical mechanisms make this method highly parallelizable. The correlation mechanism allows to take into account results of detection methods beside the aspect-based detection.