Stream-wise adaptive blacklist filter based on flow data

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F63839172%3A_____%2F18%3A10133095" target="_blank" >RIV/63839172:_____/18:10133095 - isvavai.cz</a>

Výsledek na webu

—

DOI - Digital Object Identifier

—

Jazyk výsledku

angličtina

Název v původním jazyce

Stream-wise adaptive blacklist filter based on flow data

Popis výsledku v původním jazyce

The Internet is full of activists with malicious intentions. Ones tend to steal users&apos; data, others blackmail users for ransom. Luckily, there are projects fighting malicious users and malware in general, for example, by providing public blacklists. Network s ecurity initiatives like abuse.ch provide a wide range of blacklists covering different types of malicious activities like botnets, phishing etc. In the network analysis system called NEMEA [1], which is an open source IDS developed by CESNET [2], we are currently focusing on such detection using these publicly available blacklists. The NEMEA system operates with IP flow data. A flow is an aggregation of network packets and represents an unidirectional IP connection between two endpoints. These flows can be extended with application layer information (L7) such as HTTP or DNS. Simple blacklist detection seems straightforward, i.e. inspecting every IP flow for blacklisted IP addresses, domain names or URLs and reporting this incident to Warden (system for sharing detected events). Our detector tries to go beyond that using so called adaptive filter. This filter dynamically enriches the blacklists with additional records by observing patterns in the detected communication. The presentation focuses on examples of these patterns and scenarios where such adaptivity could raise the detection effectiveness. Below is a picture of the high-level detection architecture, where Adaptive filter controller contains the logic of analyzing patterns and adapting the filter rule s. Evaluator then searches for interesting scenarios in the detected traffic.

Název v anglickém jazyce

Stream-wise adaptive blacklist filter based on flow data

Popis výsledku anglicky

The Internet is full of activists with malicious intentions. Ones tend to steal users&apos; data, others blackmail users for ransom. Luckily, there are projects fighting malicious users and malware in general, for example, by providing public blacklists. Network s ecurity initiatives like abuse.ch provide a wide range of blacklists covering different types of malicious activities like botnets, phishing etc. In the network analysis system called NEMEA [1], which is an open source IDS developed by CESNET [2], we are currently focusing on such detection using these publicly available blacklists. The NEMEA system operates with IP flow data. A flow is an aggregation of network packets and represents an unidirectional IP connection between two endpoints. These flows can be extended with application layer information (L7) such as HTTP or DNS. Simple blacklist detection seems straightforward, i.e. inspecting every IP flow for blacklisted IP addresses, domain names or URLs and reporting this incident to Warden (system for sharing detected events). Our detector tries to go beyond that using so called adaptive filter. This filter dynamically enriches the blacklists with additional records by observing patterns in the detected communication. The presentation focuses on examples of these patterns and scenarios where such adaptivity could raise the detection effectiveness. Below is a picture of the high-level detection architecture, where Adaptive filter controller contains the logic of analyzing patterns and adapting the filter rule s. Evaluator then searches for interesting scenarios in the detected traffic.

Druh

O - Ostatní výsledky

CEP obor

—

OECD FORD obor

20202 - Communication engineering and systems

Projekt

<a href="/cs/project/LM2015042" target="_blank" >LM2015042: E-infrastruktura CESNET</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2018

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů