Vojtěch Krmíček

Flow-Based Security Issue Detection in Building Automation and Control Networks

The interconnection of building automation and control system networks to public networks has exposed them to a wide range of security problems. This paper provides an overview of the flow data usability to detect security issue in these networks. The flow-based monitoring inside automation and control networks is a novel approach. In this paper, we describe several use cases in which flow monitoring provides information on network activities in building automation and control systems. We demonstrate a detection of Telnet brute force attacks, access control validation and targeted attacks on building automation system network.

Collaborative Approach to Network Behavior Analysis

Network Behavior Analysis techniques are designed to detect intrusions and other undesirable behavior in computer networks by analyzing the traffic statistics. We present an efficient framework for integration of anomaly detection algorithms working on the identical input data. This framework is based on high-speed network traffic acquisition subsystem and on trust modeling, a well-established set of techniques from the multi-agent system field. Trust-based integration of algorithms results in classification with lower error rate, especially in terms of false positives. The presented framework is suitable for both online and offline processing, and introduces a relatively low computational overhead compared to deployment of isolated anomaly detection algorithms.

Collaborative Attack Detection in High-Speed Networks

We present a multi-agent system designed to detect malicious traffic in high-speed networks. In order to match the performance requirements related to the traffic volume, the network traffic data is acquired by hardware accelerated probes in NetFlow format and preprocessed before processing by the detection agent. The proposed detection algorithm is based on extension of trust modeling techniques with representation of uncertain identities, context representation and implicit assumption that significant traffic anomalies are a result of potentially malicious action. In order to model the traffic, each of the cooperating agents uses an existing anomaly detection method, that are then correlated using a reputation mechanism. The output of the detection layer is presented to operator by a dedicated analyst interface agent, which retrieves additional information to facilitate incident analysis. Our performance results illustrate the potential of the combination of high-speed hardware with cooperative detection algorithms and advanced analyst interface.

High-Performance Agent System for Intrusion Detection in Backbone Networks

This paper presents a design of high-performance agent-based intrusion detection system designed for deployment on high-speed network links. To match the speed requirements, wire-speed data acquisition layer is based on hardware-accelerated NetFlow like probe, which provides overview of current network traffic. The data is then processed by detection agents that use heterogenous anomaly detection methods. These methods are correlated by means of trust and reputation models, and the conclusions regarding the maliciousness of individual network flows is presented to the operator via one or more analysis agents, that automatically gather supplementary information about the potentially malicious traffic from remote data sources such as DNS, whois or router configurations. Presented system is designed to help the network operators efficiently identify malicious flows by automating most of the surveillance process.