Thesis Details

Detekce slovníkových útoků na síťové služby analýzou IP toků

Master's Thesis Student: Činčala Martin Academic Year: 2014/2015 Supervisor: Matoušek Petr, doc. Ing., Ph.D., M.A.
English title
Detection of Dictionary Attacks on Network Services Using IP Flow Analysis
Language
Czech
Abstract

Existing research suggests that it is possible to detect dictionary attacks using IP flows. This type of detection was successfully implemented for SSH, LDAP and RDP protocols. To determine whether it is possible to use the same methods of detection for e-mail protocols virtual test environment was created. I deduced the characteristics of attacks in flows from the data, which I gained from this virtual environment. Than I chose the statistical value that separates the attacks from legitimate traffic. Variance of specific flow parameters was chosen as main characteristic of attacks. IP addresses with flows that have small variance of chosen parameters and high frequency of packet arrival are considered untrustworthy. Variance is calculated from IP history to rule out false positives. The IP history of legitimate user contains variation of flows which prevents marking this IP address as dangerous. On the basis of this principal the script, which detects the attacks from the nfdump output, was created. The success of detection of the attacks was tested on classificated data from the real environment. The results of tests showed, that with good configuration of marginal values the percentage of detected attacks is high and there are no false positives. Detection is not limited only on mail protocols. With regard to universal design, the script is able to detect dictionary attacks on SSH, LDAP, SIP, RDP, SQL, telnet and some other attacks.

Keywords

SMTP, IMAP, POP3, netflow, dictionary attacks

Department
Degree Programme
Information Technology, Field of Study Computer Networks and Communication
Files
Status
defended, grade A
Date
23 June 2015
Reviewer
Committee
Švéda Miroslav, prof. Ing., CSc. (DIFS FIT BUT), předseda
Drábek Vladimír, doc. Ing., CSc. (DCSY FIT BUT), člen
Hladká Eva, doc. RNDr., Ph.D. (FI MUNI), člen
Holík Lukáš, doc. Mgr., Ph.D. (DITS FIT BUT), člen
Jaroš Jiří, doc. Ing., Ph.D. (DCSY FIT BUT), člen
Matoušek Petr, doc. Ing., Ph.D., M.A. (DIFS FIT BUT), člen
Citation
ČINČALA, Martin. Detekce slovníkových útoků na síťové služby analýzou IP toků. Brno, 2015. Master's Thesis. Brno University of Technology, Faculty of Information Technology. 2015-06-23. Supervised by Matoušek Petr. Available from: https://www.fit.vut.cz/study/thesis/17112/
BibTeX
@mastersthesis{FITMT17112,
    author = "Martin \v{C}in\v{c}ala",
    type = "Master's thesis",
    title = "Detekce slovn\'{i}kov\'{y}ch \'{u}tok\r{u} na s\'{i}\v{t}ov\'{e} slu\v{z}by anal\'{y}zou IP tok\r{u}",
    school = "Brno University of Technology, Faculty of Information Technology",
    year = 2015,
    location = "Brno, CZ",
    language = "czech",
    url = "https://www.fit.vut.cz/study/thesis/17112/"
}
Back to top