Thesis Details

Reputace zdrojů škodlivého provozu

Ph.D. Thesis Student: Bartoš Václav Academic Year: 2018/2019 Supervisor: Kořenek Jan, doc. Ing., Ph.D.
English title
Reputation of Malicious Traffic Sources
Language
Czech
Abstract

An important part of maintaining network security is collecting and processing information about cyber threats, both from network operator's own detection tools and from third parties. A commonly used type of such information are lists of network entities (IP addresses, domains, URLs, etc.) which were identified as malicious. However, in many cases, the simple binary distinction between malicious and non-malicious entities is not sufficient. It is beneficial to keep other supplementary information for each entity, which describes its malicious activities, and also a summarizing score, which evaluates its reputation numerically. Such a score allows for quick comprehension of the level of threat the entity poses and allows to compare and sort entities. The goal of this work is to design a method for such summarization. The resulting score, called Future Maliciousness Probability (FMP score), is a value between 0 and 1, assigned to each suspicious network entity, expressing the probability that the entity will do some kind of malicious activity in a near future. Therefore, the scoring is based of prediction of future attacks. Advanced machine learning methods are used to perform the prediction. Their input is formed by previously received alerts about security events and other relevant data related to the entity. The method of computing the score is first described in a general way, usable for any kind of entity and input data. Then a more concrete version is presented for scoring IPv4 address by utilizing alerts from an alert sharing system and supplementary data from a reputation database. This variant is then evaluated on a real world dataset. In order to get enough amount and quality of data for this dataset, a part of the work is also dedicated to the area of security analysis of network data. A framework for analysis of flow data, NEMEA, and several new detection methods are designed and implemented. An open reputation database, NERD, is also implemented and described in this work. Data from these systems are then used to evaluate precision of the predictor as well as to evaluate selected use cases of the scoring method.

Keywords

network security, reputation, reputation score, reputation database, attack prediction, machine learning, network traffic analysis

Department
Department of Computer Systems FIT BUT
Degree Programme
Computer Science and Engineering, Field of Study Computer Science and Engineering
Files
Status
defended
Date
24 May 2019
Citation
BARTOŠ, Václav. Reputace zdrojů škodlivého provozu. Brno, 2018. Ph.D. Thesis. Brno University of Technology, Faculty of Information Technology. 2019-05-24. Supervised by Kořenek Jan. Available from: https://www.fit.vut.cz/study/phd-thesis/758/
BibTeX 
@phdthesis{FITPT758,
    author = "V\'{a}clav Barto\v{s}",
    type = "Ph.D. thesis",
    title = "Reputace zdroj\r{u} \v{s}kodliv\'{e}ho provozu",
    school = "Brno University of Technology, Faculty of Information Technology",
    year = 2019,
    location = "Brno, CZ",
    language = "czech",
    url = "https://www.fit.vut.cz/study/phd-thesis/758/"
}

Theses

Back to top