Student: Muris Sladiċ

Abstract: This thesis proposes a novel method to create realistic and dynamic software honeypots using Large Language Models (LLMs).

Student: Štěpán Bendl

Abstract: With the increasing use of technology and the growing number of cyber-attacks, the need for robust and representative security datasets is crucial to learn how to create better tools to detect security attacks. While security datasets have been valuable in advancing cybersecurity research, most existing datasets are limited in scope and do not capture the full range of threats and vulnerabilities. Improved datasets that address these limitations would enable faster progress in cybersecurity research. Our approach involves the design of a new network security dataset through interviews with the community, designing a dataset that uses real-world network traffic data, and doing known security attacks to create a diverse and representative dataset. The CTU-SME-11 dataset includes seven days of network traffic on eleven devices connected in an internal network. Those devices are of various operating systems, hardware, and intended use, which makes the dataset very heterogeneous. Apart from human-generated benign traffic, the dataset includes malware captures, attacks inside the network and from the internet, and attacks with data exfiltration. The biggest value of this dataset are ground-truth labels, which allow consumers to evaluate the performance of their models and algorithms accurately. This thesis describes the whole creation process of a network dataset of normal, malware, attack, and background traffic on a real network. The CTU-SME- 11 dataset contains in total around 160 GB of PCAP files and around 99,000,000 expert-labeled network flows. We hope that this dataset will serve as a foundation for future research in the field of network security datasets and will become a new benchmark dataset to be used by the cybersecurity community.

Student: Pavel Janata

Abstract: Network security is an increasingly important concern in today's connected world as the number and complexity of threats continue to grow. Federated learning (FL) is a machine learning method to distributedly train an model using clients' data while protecting their privacy. In this thesis, we present an FL solution for network security, specifically for detecting malware activity in HTTPS traffic. We developed both supervised and unsupervised methods for detecting malware in the clients' data. We evaluate our methods using the CTU-50-FEEL dataset, which contains realistic benign traffic of ten users spanning five days, as well as traffic of six distinct malware. Our experimental results show that our federated learning approach is able to detect a wider range of threats with higher accuracy than if the clients relied only on their own data to create their models. Overall, our work demonstrates the feasibility of using Federated Learning for detecting malware activity in clients with non-IID network traffic while preserving their privacy.

Student: Martin Řepa

Abstract: The goal of this thesis is to design and implement a global peer to peer networking system to allow reliable, secure and confidential sharing of distributed threat intelligence data using the libp2p project. Unlike standard P2P networks, the system will allow peers to be members of trusted groups to minimise the risk of being targeted by malicious actors.

Messaging protocols shall be designed along with peer discovery and peer routing techniques while utilising peers’ reliability which is assumed to be dynamically computed by a blackbox trust model. The work will incorporate theoretical discussion and if possible practical experiments about its mitigation of known P2P network attacks. Finally, the implementation will be integrated into Stratosphere Linux intrusion prevention system (SLIPS) to allow sharing data with other SLIPS instances.

Student: Ondřej Bouček

Abstract: The goal of this thesis is to test whether it is possible to detect the distribution of computational propaganda by tracking the spread of an article through the Internet. The student will develop and improve the searching tool developed by Stratosphere Laboratory to find which web pages are linking and referencing an article. Then a graph representation of an article distribution found by the searching tool will be created. Next, he must collect a data set of propaganda and non-propaganda URLs. Lastly, the student shall develop various machine learning models to test whether it is possible to detect propaganda using the graph representation approach.

Student: Lukas Forst

Abstract: The goal is to design and implement a trust model for distributed multi-agent environments of intrusion prevention systems (IPS). One IPS is the Stratosphere Linux IPS (Slips)[6] which will have a globally distributed peer-to-peer system. With this capability and the fact that peer-to-peer systems are permission-less, Slips determines how much can trust the data from other peers. We aim to solve this challenge and design and implement a trust model as a Slips module. The trust model should be able to evaluate the behavior of other Slips agents (which can also be acting as malicious actors) in a global peer-to-peer data sharing network and compute a trust value. The question that we want to answer is “how much can the local system trust the data coming from the said global peer?”.

The student will analyze different trust models and options to attack them. A new trust model that uses data from Slips will be proposed, and its performance will be evaluated. Finally, the model will be implemented as a module inside Slips and will enable sharing said network data with other nodes running Slips.

The rise in popularity and the large amount of improvements done to Machine Learning (ML) resulted in the emergence of a new type of attack called model extraction attack. Model extraction attacks are privacy attacks, which aim to extract information about a victim model or even steal its functionality. These types of attacks are being heavily researched, however, it is very hard to perform comparisons between the proposed papers. In this work, we present MET, which implements state-of-the-art model extraction attacks on arbitrary ML models and datasets. Using the tool, we performed a comprehensive comparison between the implemented attacks to see how they perform under different settings. Our results show that in the case of black-box scenarios, the attacks perform similarly. Based on the results, we propose and implement improvements for some of the attacks both in terms of speed and performance.

Url: https://dspace.cvut.cz/handle/10467/95288

Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.

Active Directory (AD) is a crucial element of large organizations, given its central role in managing access to resources. However, since AD is used by all users in the organization, it is hard to detect attackers. We propose to generate and place fake users (honeyusers) in AD structures to help detect attacks. However, not any honeyuser will attract attackers. Our method generates honeyusers with a Variational Autoencoder that enriches the AD structure with well-positioned honeyusers. Our model first learns the embeddings of the original nodes and edges in the AD, then it uses a modified Bidirectional DAG-RNN to encode the parameters of the probability distribution of the latent space of node representations. Finally, it samples nodes from this distribution and uses an MLP to decide where the nodes are connected. The model was first evaluated by the similarity of the generated AD with the original AD, second by the positions of the new nodes, and finally making real intruders attack the AD structure enriched with honeyusers to see if they selected the honeyusers. Results show that our machine learning model is good enough to generate well-placed honeyusers for existing AD structures so that intruders are lured into them.

Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.

The goal of this work is to propose a protocol for sharing data in a decentralized network of peers, where each node gains reputation for their actions. Information from nodes with low reputation may be discarded, while nodes with high reputation will be heard. This serves as a protection, because malicious nodes would first have to gain trust of the network before they could affect it.

There are multiple approaches to compute reputation, but they rely mostly on adherence to the protocol, uptime and other simple features. The trust model used by the Sality botnet simply measures how many “good” interactions a node had with its neighbor. There are numerous attacks that an adversary can use to gain trust of the network. In this thesis, the trust model will not only use data from the protocol itself, but also network monitoring and statistics provided by SLIPS. We will analyze different trust models and options to attack them. A new trust model that uses data from SLIPS will be proposed, and its performance will be evaluated. Finally, the model will be implemented as a module inside SLIPS, and will enable sharing said network data with other nodes running SLIPS.

Civil society members face threats not only in the physical world but in cyberspace. Their critical work leaves them in a permanent risk of surveillance and abuse. Mobile phones are vital for their activities, however these are often vastly unprotected. The lack of a standardized method to measure and analyze these risks hinders the efforts to protect them. The Civilsphere Project at the Czech Technical University in Prague created the Emergency VPN (EVPN) to help civil workers at risk. This free service helps discover data leaks or malware infections through network traffic analysis of mo- bile devices. The goal of this thesis is to create the first standardized risk measurement score for mobile phones at risk. In order to do so we processed 65 packet captures from the civil society along with the manual assessment reports done by Civilsphere analysts, creating a unique dataset suitable for further analysis. We assessed data leaked from mobile devices to identify potential risks and security threats. We developed a new method to standardize the severity rating and created a metric describing the nature of the reported data leaks. While none of the analyzed devices showed indications of malware presence, we discovered that they leak a lot of data that puts the civil workers at risk, most commonly the user’s location.

Bachelor Thesis

This thesis proposes to design, implement and test a machine learning improvement of Stratosphere IPS which aggregates the partial detections of hosts and classifies them using the XGBoost algorithm to improve the overall performance of the tool. Our method is based on an additional layer of abstraction called Source Address layer which collects the partial data and pre-processes it or the classifier. Compared to the first version of Stratosphere IPS proposed extension results in 40% increase in accuracy and 26% improvement in the False Positive rate.

Master Thesis

The precise identification of users in the network at different moments in time is a well known and difficult problem. Identifying users by their actions (and not their IP addresses) allows administrators to apply policy controls on users, to find intruders that are impersonating legitimate users, and to find anomalous user behaviors that could be due to malware infections. More importantly, the behavioral analysis of users actions raises important moral questions about the power to identify users in unknown networks. This thesis explores this question by trying to identify users by converting the user's behavior into user's profiles. These profiles are time-dependent and they have dozen of features.

Bachelor Thesis

There are many malware families and every each of them has some unique features. The aim of this work is to focus on detecting malicious behavior using leaving network communication. Our hypothesis is that this malicious communication has sequential behavioral patterns. We present a new graph representation of leaving network communication using (IP address, port, protocol)-triplets as vertices.

Master Thesis

This project has two primary goals: First, to help analysts by means of a web interface, in evaluating the weblogs to better find and process the information. Second, to create a machine learning method that can identify domains which share some similarity in their WHOIS Information. Our algorithm can work as a WHOIS classification of similar domains also called WHOIS similarity distance. The conclusions of our research are: First, ManaTI can increase the speed of the security analysts by a factor of 3.4. Second, the WHOIS information of related domains has quantifiable similarities that make possible an accurate comparison. Third, there are WHOIS fields which are more important for relating domains than others. Finally, the accuracy of finding related domains using a linear model classifier based on the WHOIS Similarity Distance algorithm is around 98%.

Master Thesis

Detecting malware infections is one of the most challenging tasks in modern computer security. The anomaly detection approach to the detection is to model normal traffic and then find deviations from the model. This thesis describes a new profile-based method to the anomaly detection.

Master Thesis

Detecting malware and attacks by analyzing network traffic remains a challenge. Although there are several well-known detection mechanisms to accurately separate the malicious behavior of the normal, it is still extremely difficult to have a detection system that can handle all the situations that arise in the network. These known algorithms include machine learning techniques, static signatures and rules based on experience. In particular, the method most used today is based on the contribution of rules by a large community of analysts. The most important impediments to good detection are that: First, normal traffic is extremely complex, diverse and changing. Second, malicious actions change continuously, adapting, migrating and hiding as normal traffic. Third, the amount of data to analyze is huge, forcing analysts to lose data in favor of speed. And fourth, detection must occur in near real time to be of some use.

Master Thesis

In the last five year the prevalence of IoT devices opened the door to a myriad of different attacks on unprotected home devices. These devices came from the factory with several vulnerabilities that can not be fixed without replacing the device. The most used protocol for this IoT devices is the Telnet protocol. However, there does not exist any tool or research or methodology to protect the devices by studying the Telnet protocol.

The goal of this master's thesis is to study botnets as HPC systems to demonstrate that they can resolve similar problems. To achieve this objective, the characteristics of a traditional HPC system and those of a botnet will be measured to compare them. To perform the comparative analysis of the thesis, the study of a botnet called Geost that was discovered in the Stratosphere laboratory will be carried out.

Master Thesis

The great majority of attacks, including targeted attacks, start with a link in an email or chat. When you don't have time to check or you don't know how to check it, should you click on it or not? Malicious websites can be used for phishing, exploits, crypto mining, or drive-by downloads and they are difficult to detect. Meet www.shouldiclick.org

Master Thesis

This thesis aims to solve the problem of identification and classification of botnets using the IRC protocol. In the last years, IRC has been used again as the main Command and Control protocol for Iot botnets. IRC is an old and well known protocol, but it has not been studied for IoT malware. The study of IRC is complex since it can work as a centralized protocol, or a peer-to-peer protocol. The goal of the thesis is to analyse malicious IRC communication and normal IRC communications in order to learn how to classify them.

In the last years there has been an increase in the amount of malware using HTTPS traffic for their communications. This situation pose a challenge for the security analysts because the traffic is encrypted and because it mostly looks like normal traffic. Therefore, there is a need to discover new features and methods to detect malware without decrypting the traffic. A detection method that does not need to unencrypt the traffic is cheaper (because no traffic interceptor is needed), faster and private, respecting the original idea of HTTPS. The goal of this thesis is to detect HTTPS malware connections by extracting new features and using data from the Bro IDS program. Since the data for the research is hard to come by, we used data from the Stratosphere project and we created, by hand, our own datasets. Our unit of analysis is an aggregation of all the information that is possible to obtain without decrypting the data. We group together flows, SSL data and X.509 certificates data as they are generated by Bro. To classify the HTTPS malware traffic we used several algorithms, such as Neural Networks, XGBoost and Random Forest. Our results show that the HTTPS malware behaviour is distinct from normal HTTPS behaviour and that our methods are able to separate them with an accuracy of at least 96.64%.