Publication Details

Automating Network Security Analysis at Packet-level by using Rule-based Engine

HOLKOVIČ Martin, RYŠAVÝ Ondřej and DUDEK Jindřich. Automating Network Security Analysis at Packet-level by using Rule-based Engine. In: Proceedings of the Sixth European Conference on the Engineering of Computer-Based Systems. Bucharest: Association for Computing Machinery, 2019, pp. 1-8. ISBN 978-1-4503-7636-5.
Czech title
Automatizace bezpečností síťové analýzy na paketové úrovni využitím systému založeného na pravidlech
Type
conference paper
Language
english
Authors
Holkovič Martin, Ing. (DIFS FIT BUT)
Ryšavý Ondřej, doc. Ing., Ph.D. (DIFS FIT BUT)
Dudek Jindřich, Ing. (FIT BUT)
Keywords

Network security, network monitoring, anomaly detection, threat detection, network forensics

Abstract

When a network incident is detected, a network administrator has to manually verify the incident and provide a solution to stop the incident from continuing and prevent similar incidents in the future. The network analysis is a time-consuming and labor-intensive activity which requires good network knowledge. Creating a solution which automates the administrator's work can dramatically speed up the analysis process and can make the whole process easier for less experienced administrators. In this paper, we describe a method that uses a predefined set of rules to identify incident patterns. Though this principle is used by many security tools, the new aspect is that the presented approach uses the Wireshark tool which is well known among the administrators, and it is expressive enough to specify complex relations among source data thus being able to detect quite sophisticated attacks. The created rule's format uses the same language as the Wireshark filters.

Annotation

When a network incident is detected, a network administrator has to manually verify the incident and provide a solution to stop the incident from continuing and prevent similar incidents in the future. The network analysis is a time-consuming and labor-intensive activity which requires good network knowledge. Creating a solution which automates the administrator's work can dramatically speed up the analysis process and can make the whole process easier for less experienced administrators. In this paper, we describe a method that uses a predefined set of rules to identify incident patterns. Though this principle is used by many security tools, the new aspect is that the presented approach uses the Wireshark tool which is well known among the administrators, and it is expressive enough to specify complex relations among source data thus being able to detect quite sophisticated attacks. The created rule's format uses the same language as the Wireshark filters.

Published
2019
Pages
1-8
Proceedings
Proceedings of the Sixth European Conference on the Engineering of Computer-Based Systems
Conference
6th Conference on the Engineering of Computer Based Systems, Bucharest, RO
ISBN
978-1-4503-7636-5
Publisher
Association for Computing Machinery
Place
Bucharest, RO
DOI
10.1145/3352700.3352714
UT WoS
000525376600014
EID Scopus
2-s2.0-85075904472
BibTeX 
@INPROCEEDINGS{FITPUB12011,
   author = "Martin Holkovi\v{c} and Ond\v{r}ej Ry\v{s}av\'{y} and Jind\v{r}ich Dudek",
   title = "Automating Network Security Analysis at Packet-level by using Rule-based Engine",
   pages = "1--8",
   booktitle = "Proceedings of the Sixth European Conference on the Engineering of Computer-Based Systems",
   year = 2019,
   location = "Bucharest, RO",
   publisher = "Association for Computing Machinery",
   ISBN = "978-1-4503-7636-5",
   doi = "10.1145/3352700.3352714",
   language = "english",
   url = "https://www.fit.vut.cz/research/publication/12011"
}
Files
Back to top