Thesis Details
Vyhledávání podobností v síťových bezpečnostních hlášeních
Network monitoring systems generate a high number of alerts reporting on anomalies and suspicious activity of IP addresses. From a huge number of alerts, only a small fraction is high priority and relevant from human evaluation. The rest is likely to be neglected. Assume that by analyzing large sums of these low priority alerts we can discover valuable information, namely, coordinated IP addresses and type of alerts likely to be correlated. This knowledge improves situational awareness in the field of network monitoring and reflects the requirement of security analysts. They need to have at their disposal proper tools for retrieving contextual information about events on the network, to make informed decisions. To validate the assumption new method is introduced to discover groups of coordinated IP addresses that exhibit temporal correlation in the arrival pattern of their events. The method is evaluated on real-world data from a sharing platform that accumulates 2.2 million alerts per day. The results show, that method indeed detected truly correlated groups of IP addresses.
Alerts, correlation, IP address, sequence clustering, situational awareness, machine learning, pattern recognition, collective anomaly, botnet detection.
Bařina David, Ing., Ph.D. (DCGM FIT BUT), člen
Grézl František, Ing., Ph.D. (DCGM FIT BUT), člen
Křivka Zbyněk, Ing., Ph.D. (DIFS FIT BUT), člen
Zemčík Pavel, prof. Dr. Ing. (DCGM FIT BUT), člen
@mastersthesis{FITMT23210, author = "Imrich \v{S}toffa", type = "Master's thesis", title = "Vyhled\'{a}v\'{a}n\'{i} podobnost\'{i} v s\'{i}\v{t}ov\'{y}ch bezpe\v{c}nostn\'{i}ch hl\'{a}\v{s}en\'{i}ch", school = "Brno University of Technology, Faculty of Information Technology", year = 2020, location = "Brno, CZ", language = "slovak", url = "https://www.fit.vut.cz/study/thesis/23210/" }