A Network Dataset of Normal, Malware, Attack, and Background Traffic on a Real Network

A Network Dataset of Normal, Malware, Attack, and Background Traffic on a Real Network

Student: Štěpán Bendl

Abstract: With the increasing use of technology and the growing number of cyber-attacks, the need for robust and representative security datasets is crucial to learn how to create better tools to detect security attacks. While security datasets have been valuable in advancing cybersecurity research, most existing datasets are limited in scope and do not capture the full range of threats and vulnerabilities. Improved datasets that address these limitations would enable faster progress in cybersecurity research. Our approach involves the design of a new network security dataset through interviews with the community, designing a dataset that uses real-world network traffic data, and doing known security attacks to create a diverse and representative dataset. The CTU-SME-11 dataset includes seven days of network traffic on eleven devices connected in an internal network. Those devices are of various operating systems, hardware, and intended use, which makes the dataset very heterogeneous. Apart from human-generated benign traffic, the dataset includes malware captures, attacks inside the network and from the internet, and attacks with data exfiltration. The biggest value of this dataset are ground-truth labels, which allow consumers to evaluate the performance of their models and algorithms accurately. This thesis describes the whole creation process of a network dataset of normal, malware, attack, and background traffic on a real network. The CTU-SME- 11 dataset contains in total around 160 GB of PCAP files and around 99,000,000 expert-labeled network flows. We hope that this dataset will serve as a foundation for future research in the field of network security datasets and will become a new benchmark dataset to be used by the cybersecurity community.

Decentralized Federated Learning for Network Security

Decentralized Federated Learning for Network Security

Student: Pavel Janata

Abstract: Network security is an increasingly important concern in today's connected world as the number and complexity of threats continue to grow. Federated learning (FL) is a machine learning method to distributedly train an model using clients' data while protecting their privacy. In this thesis, we present an FL solution for network security, specifically for detecting malware activity in HTTPS traffic. We developed both supervised and unsupervised methods for detecting malware in the clients' data. We evaluate our methods using the CTU-50-FEEL dataset, which contains realistic benign traffic of ten users spanning five days, as well as traffic of six distinct malware. Our experimental results show that our federated learning approach is able to detect a wider range of threats with higher accuracy than if the clients relied only on their own data to create their models. Overall, our work demonstrates the feasibility of using Federated Learning for detecting malware activity in clients with non-IID network traffic while preserving their privacy.

Global permissionless P2P system for sharing distributed threat intelligence

Global permissionless P2P system for sharing distributed threat intelligence

Student: Martin Řepa

Abstract: The goal of this thesis is to design and implement a global peer to peer networking system to allow reliable, secure and confidential sharing of distributed threat intelligence data using the libp2p project. Unlike standard P2P networks, the system will allow peers to be members of trusted groups to minimise the risk of being targeted by malicious actors.

Messaging protocols shall be designed along with peer discovery and peer routing techniques while utilising peers’ reliability which is assumed to be dynamically computed by a blackbox trust model. The work will incorporate theoretical discussion and if possible practical experiments about its mitigation of known P2P network attacks. Finally, the implementation will be integrated into Stratosphere Linux intrusion prevention system (SLIPS) to allow sharing data with other SLIPS instances.

Detection of computational propaganda according to its spread on the Internet

Detection of computational propaganda according to its spread on the Internet

Student: Ondřej Bouček

Abstract: The goal of this thesis is to test whether it is possible to detect the distribution of computational propaganda by tracking the spread of an article through the Internet. The student will develop and improve the searching tool developed by Stratosphere Laboratory to find which web pages are linking and referencing an article. Then a graph representation of an article distribution found by the searching tool will be created. Next, he must collect a data set of propaganda and non-propaganda URLs. Lastly, the student shall develop various machine learning models to test whether it is possible to detect propaganda using the graph representation approach.

Trust Model for Global Peer-To-Peer Intrusion Prevention System

Trust Model for Global Peer-To-Peer Intrusion Prevention System

Student: Lukas Forst

Abstract: The goal is to design and implement a trust model for distributed multi-agent environments of intrusion prevention systems (IPS). One IPS is the Stratosphere Linux IPS (Slips)[6] which will have a globally distributed peer-to-peer system. With this capability and the fact that peer-to-peer systems are permission-less, Slips determines how much can trust the data from other peers. We aim to solve this challenge and design and implement a trust model as a Slips module. The trust model should be able to evaluate the behavior of other Slips agents (which can also be acting as malicious actors) in a global peer-to-peer data sharing network and compute a trust value. The question that we want to answer is “how much can the local system trust the data coming from the said global peer?”.

The student will analyze different trust models and options to attack them. A new trust model that uses data from Slips will be proposed, and its performance will be evaluated. Finally, the model will be implemented as a module inside Slips and will enable sharing said network data with other nodes running Slips.


Machine learning privacy: analysis and implementation of model extraction attacks

Machine learning privacy: analysis and implementation of model extraction attacks

The rise in popularity and the large amount of improvements done to Machine Learning (ML) resulted in the emergence of a new type of attack called model extraction attack. Model extraction attacks are privacy attacks, which aim to extract information about a victim model or even steal its functionality. These types of attacks are being heavily researched, however, it is very hard to perform comparisons between the proposed papers. In this work, we present MET, which implements state-of-the-art model extraction attacks on arbitrary ML models and datasets. Using the tool, we performed a comprehensive comparison between the implemented attacks to see how they perform under different settings. Our results show that in the case of black-box scenarios, the attacks perform similarly. Based on the results, we propose and implement improvements for some of the attacks both in terms of speed and performance.

Url: https://dspace.cvut.cz/handle/10467/95288

The Attacker IP Prioritizer : An IoT Optimized Blacklisting Algorithm

Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.

Graph Generative Models for Decoy Targets in Active Directory

Graph Generative Models for Decoy Targets in Active Directory

Active Directory (AD) is a crucial element of large organizations, given its central role in managing access to resources. However, since AD is used by all users in the organization, it is hard to detect attackers. We propose to generate and place fake users (honeyusers) in AD structures to help detect attacks. However, not any honeyuser will attract attackers. Our method generates honeyusers with a Variational Autoencoder that enriches the AD structure with well-positioned honeyusers. Our model first learns the embeddings of the original nodes and edges in the AD, then it uses a modified Bidirectional DAG-RNN to encode the parameters of the probability distribution of the latent space of node representations. Finally, it samples nodes from this distribution and uses an MLP to decide where the nodes are connected. The model was first evaluated by the similarity of the generated AD with the original AD, second by the positions of the new nodes, and finally making real intruders attack the AD structure enriched with honeyusers to see if they selected the honeyusers. Results show that our machine learning model is good enough to generate well-placed honeyusers for existing AD structures so that intruders are lured into them.

Execution, Analysis and Detection of Android RATs traffic

Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.

Trust models on adversarial distributed security agents

The goal of this work is to propose a protocol for sharing data in a decentralized network of peers, where each node gains reputation for their actions. Information from nodes with low reputation may be discarded, while nodes with high reputation will be heard. This serves as a protection, because malicious nodes would first have to gain trust of the network before they could affect it.

There are multiple approaches to compute reputation, but they rely mostly on adherence to the protocol, uptime and other simple features. The trust model used by the Sality botnet simply measures how many “good” interactions a node had with its neighbor. There are numerous attacks that an adversary can use to gain trust of the network. In this thesis, the trust model will not only use data from the protocol itself, but also network monitoring and statistics provided by SLIPS. We will analyze different trust models and options to attack them. A new trust model that uses data from SLIPS will be proposed, and its performance will be evaluated. Finally, the model will be implemented as a module inside SLIPS, and will enable sharing said network data with other nodes running SLIPS.

The first comprehensive report on the state of the security of mobile phones of civil society

Civil society members face threats not only in the physical world but in cyberspace. Their critical work leaves them in a permanent risk of surveillance and abuse. Mobile phones are vital for their activities, however these are often vastly unprotected. The lack of a standardized method to measure and analyze these risks hinders the efforts to protect them. The Civilsphere Project at the Czech Technical University in Prague created the Emergency VPN (EVPN) to help civil workers at risk. This free service helps discover data leaks or malware infections through network traffic analysis of mo- bile devices. The goal of this thesis is to create the first standardized risk measurement score for mobile phones at risk. In order to do so we processed 65 packet captures from the civil society along with the manual assessment reports done by Civilsphere analysts, creating a unique dataset suitable for further analysis. We assessed data leaked from mobile devices to identify potential risks and security threats. We developed a new method to standardize the severity rating and created a metric describing the nature of the reported data leaks. While none of the analyzed devices showed indications of malware presence, we discovered that they leak a lot of data that puts the civil workers at risk, most commonly the user’s location.

IDENTIFYING MALICIOUS HOSTS BY AGGREGATION OF PARTIAL DETECTIONS

Bachelor Thesis

This thesis proposes to design, implement and test a machine learning improvement of Stratosphere IPS which aggregates the partial detections of hosts and classifies them using the XGBoost algorithm to improve the overall performance of the tool. Our method is based on an additional layer of abstraction called Source Address layer which collects the partial data and pre-processes it or the classifier. Compared to the first version of Stratosphere IPS proposed extension results in 40% increase in accuracy and 26% improvement in the False Positive rate.

IDENTIFICATION OF NETWORK USERS BY PROFILING THEIR BEHAVIOR

Master Thesis

The precise identification of users in the network at different moments in time is a well known and difficult problem. Identifying users by their actions (and not their IP addresses) allows administrators to apply policy controls on users, to find intruders that are impersonating legitimate users, and to find anomalous user behaviors that could be due to malware infections. More importantly, the behavioral analysis of users actions raises important moral questions about the power to identify users in unknown networks. This thesis explores this question by trying to identify users by converting the user's behavior into user's profiles. These profiles are time-dependent and they have dozen of features.

GRAPH-BASED ANALYSIS OF MALWARE NETWORK BEHAVIORS

Bachelor Thesis

There are many malware families and every each of them has some unique features. The aim of this work is to focus on detecting malicious behavior using leaving network communication. Our hypothesis is that this malicious communication has sequential behavioral patterns. We present a new graph representation of leaving network communication using (IP address, port, protocol)-triplets as vertices.

MANATI: WEB ASSISTANCE FOR THE THREAT ANALYSIS SUPPORTED BY DOMAIN SIMILARITY

Master Thesis

This project has two primary goals: First, to help analysts by means of a web interface, in evaluating the weblogs to better find and process the information. Second, to create a machine learning method that can identify domains which share some similarity in their WHOIS Information. Our algorithm can work as a WHOIS classification of similar domains also called WHOIS similarity distance. The conclusions of our research are: First, ManaTI can increase the speed of the security analysts by a factor of 3.4. Second, the WHOIS information of related domains has quantifiable similarities that make possible an accurate comparison. Third, there are WHOIS fields which are more important for relating domains than others. Finally, the accuracy of finding related domains using a linear model classifier based on the WHOIS Similarity Distance algorithm is around 98%.

DETECTION OF SECURITY ATTACKS ON NETWORKS USING ENSEMBLING TECHNIQUES

Master Thesis

Detecting malware and attacks by analyzing network traffic remains a challenge. Although there are several well-known detection mechanisms to accurately separate the malicious behavior of the normal, it is still extremely difficult to have a detection system that can handle all the situations that arise in the network. These known algorithms include machine learning techniques, static signatures and rules based on experience. In particular, the method most used today is based on the contribution of rules by a large community of analysts. The most important impediments to good detection are that: First, normal traffic is extremely complex, diverse and changing. Second, malicious actions change continuously, adapting, migrating and hiding as normal traffic. Third, the amount of data to analyze is huge, forcing analysts to lose data in favor of speed. And fourth, detection must occur in near real time to be of some use.

PROFILING AND DETECTION OF IOT ATTACKS IN TELNET TRAFFIC

Master Thesis

In the last five year the prevalence of IoT devices opened the door to a myriad of different attacks on unprotected home devices. These devices came from the factory with several vulnerabilities that can not be fixed without replacing the device. The most used protocol for this IoT devices is the Telnet protocol. However, there does not exist any tool or research or methodology to protect the devices by studying the Telnet protocol.

ANALYSIS AND COMPARISON OF THE CHARACTERISTICS OF HIGH PERFORMANCE SYSTEMS AND BOTNETS

The goal of this master's thesis is to study botnets as HPC systems to demonstrate that they can resolve similar problems. To achieve this objective, the characteristics of a traditional HPC system and those of a botnet will be measured to compare them. To perform the comparative analysis of the thesis, the study of a botnet called Geost that was discovered in the Stratosphere laboratory will be carried out.