All

What are you looking for?

All
Projects
Results
Organizations

Quick search

  • Projects supported by TA ČR
  • Excellent projects
  • Projects with the highest public support
  • Current projects

Smart search

  • That is how I find a specific +word
  • That is how I leave the -word out of the results
  • “That is how I can find the whole phrase”

Stream-wise adaptive blacklist filter based on flow data

The result's identifiers

  • Result code in IS VaVaI

    <a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F63839172%3A_____%2F18%3A10133095" target="_blank" >RIV/63839172:_____/18:10133095 - isvavai.cz</a>

  • Result on the web

  • DOI - Digital Object Identifier

Alternative languages

  • Result language

    angličtina

  • Original language name

    Stream-wise adaptive blacklist filter based on flow data

  • Original language description

    The Internet is full of activists with malicious intentions. Ones tend to steal users&apos; data, others blackmail users for ransom. Luckily, there are projects fighting malicious users and malware in general, for example, by providing public blacklists. Network s ecurity initiatives like abuse.ch provide a wide range of blacklists covering different types of malicious activities like botnets, phishing etc. In the network analysis system called NEMEA [1], which is an open source IDS developed by CESNET [2], we are currently focusing on such detection using these publicly available blacklists. The NEMEA system operates with IP flow data. A flow is an aggregation of network packets and represents an unidirectional IP connection between two endpoints. These flows can be extended with application layer information (L7) such as HTTP or DNS. Simple blacklist detection seems straightforward, i.e. inspecting every IP flow for blacklisted IP addresses, domain names or URLs and reporting this incident to Warden (system for sharing detected events). Our detector tries to go beyond that using so called adaptive filter. This filter dynamically enriches the blacklists with additional records by observing patterns in the detected communication. The presentation focuses on examples of these patterns and scenarios where such adaptivity could raise the detection effectiveness. Below is a picture of the high-level detection architecture, where Adaptive filter controller contains the logic of analyzing patterns and adapting the filter rule s. Evaluator then searches for interesting scenarios in the detected traffic.

  • Czech name

  • Czech description

Classification

  • Type

    O - Miscellaneous

  • CEP classification

  • OECD FORD branch

    20202 - Communication engineering and systems

Result continuities

  • Project

    <a href="/en/project/LM2015042" target="_blank" >LM2015042: E-infrastructure CESNET</a><br>

  • Continuities

    P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Others

  • Publication year

    2018

  • Confidentiality

    S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů