Stream-wise adaptive blacklist filter based on flow data
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F63839172%3A_____%2F18%3A10133095" target="_blank" >RIV/63839172:_____/18:10133095 - isvavai.cz</a>
Výsledek na webu
—
DOI - Digital Object Identifier
—
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
Stream-wise adaptive blacklist filter based on flow data
Popis výsledku v původním jazyce
The Internet is full of activists with malicious intentions. Ones tend to steal users' data, others blackmail users for ransom. Luckily, there are projects fighting malicious users and malware in general, for example, by providing public blacklists. Network s ecurity initiatives like abuse.ch provide a wide range of blacklists covering different types of malicious activities like botnets, phishing etc. In the network analysis system called NEMEA [1], which is an open source IDS developed by CESNET [2], we are currently focusing on such detection using these publicly available blacklists. The NEMEA system operates with IP flow data. A flow is an aggregation of network packets and represents an unidirectional IP connection between two endpoints. These flows can be extended with application layer information (L7) such as HTTP or DNS. Simple blacklist detection seems straightforward, i.e. inspecting every IP flow for blacklisted IP addresses, domain names or URLs and reporting this incident to Warden (system for sharing detected events). Our detector tries to go beyond that using so called adaptive filter. This filter dynamically enriches the blacklists with additional records by observing patterns in the detected communication. The presentation focuses on examples of these patterns and scenarios where such adaptivity could raise the detection effectiveness. Below is a picture of the high-level detection architecture, where Adaptive filter controller contains the logic of analyzing patterns and adapting the filter rule s. Evaluator then searches for interesting scenarios in the detected traffic.
Název v anglickém jazyce
Stream-wise adaptive blacklist filter based on flow data
Popis výsledku anglicky
The Internet is full of activists with malicious intentions. Ones tend to steal users' data, others blackmail users for ransom. Luckily, there are projects fighting malicious users and malware in general, for example, by providing public blacklists. Network s ecurity initiatives like abuse.ch provide a wide range of blacklists covering different types of malicious activities like botnets, phishing etc. In the network analysis system called NEMEA [1], which is an open source IDS developed by CESNET [2], we are currently focusing on such detection using these publicly available blacklists. The NEMEA system operates with IP flow data. A flow is an aggregation of network packets and represents an unidirectional IP connection between two endpoints. These flows can be extended with application layer information (L7) such as HTTP or DNS. Simple blacklist detection seems straightforward, i.e. inspecting every IP flow for blacklisted IP addresses, domain names or URLs and reporting this incident to Warden (system for sharing detected events). Our detector tries to go beyond that using so called adaptive filter. This filter dynamically enriches the blacklists with additional records by observing patterns in the detected communication. The presentation focuses on examples of these patterns and scenarios where such adaptivity could raise the detection effectiveness. Below is a picture of the high-level detection architecture, where Adaptive filter controller contains the logic of analyzing patterns and adapting the filter rule s. Evaluator then searches for interesting scenarios in the detected traffic.
Klasifikace
Druh
O - Ostatní výsledky
CEP obor
—
OECD FORD obor
20202 - Communication engineering and systems
Návaznosti výsledku
Projekt
<a href="/cs/project/LM2015042" target="_blank" >LM2015042: E-infrastruktura CESNET</a><br>
Návaznosti
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)
Ostatní
Rok uplatnění
2018
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů