Proudová paralelní detekce anomálií v počítačových sítích
Stream-wise Parallel Anomaly Detection in Computer Networks
Type of document
disertační prácedoctoral thesis
Author
Čejka Tomáš
Supervisor
Kubátová Hana
Opponent
Ryšavý Ondřej
Field of study
InformatikaStudy program
InformatikaInstitutions assigning rank
katedra číslicového návrhuDefended
2018-10-19Rights
A university thesis is a work protected by the Copyright Act. Extracts, copies and transcripts of the thesis are allowed for personal use only and at one?s own expense. The use of thesis should be in compliance with the Copyright Act http://www.mkcr.cz/assets/autorske-pravo/01-3982006.pdf and the citation ethics http://knihovny.cvut.cz/vychova/vskp.htmlVysokoškolská závěrečná práce je dílo chráněné autorským zákonem. Je možné pořizovat z něj na své náklady a pro svoji osobní potřebu výpisy, opisy a rozmnoženiny. Jeho využití musí být v souladu s autorským zákonem http://www.mkcr.cz/assets/autorske-pravo/01-3982006.pdf a citační etikou http://knihovny.cvut.cz/vychova/vskp.html
Metadata
Show full item recordAbstract
This dissertation thesis is a collection of author?s works from the areas of the flow-based network monitoring and network security that were elaborated in the last five years. The main feature of all included papers is a so-called stream-wise approach of processing flow data, which is described in this thesis. The stream-wise processing is a suitable principle of security analysis for large-scale computer networks since flow records are being processed on-the-fly when they reach a flow collector. As a proof-of-concept, we have developed an open source NEMEA framework and a set of NEMEA modules for a stream-wise analysis of flow data. There are several included papers in this thesis that show benefits of extended flow records containing information from headers of application protocol (L7). Such extended flow records can increase the reliability of detection algorithms and allow for detection of suspicious traffic that is invisible for traditional flow-based detection methods. The detection modules capable of processing the L7 information are called application-aware. Since the data volume from monitoring systems grows, and it is expected to increase further in the future as well, the next focus of this dissertation thesis is a scalable infrastructure for parallel flow-based analysis. Our experiments show the importance of a correct algorithm for data distribution among multiple computing nodes. Usage of an algorithm that does not respect semantic relations in the flow data has a strong negative influence on the detection results. Therefore, the dissertation thesis shows a method of constructing a proper Flow Scatter that distributes flow data without breaking these semantic relations. Besides the described contributions, there was an extensive experimental evaluation of all works included in the papers. The experiments were performed with data sets from real backbone traffic of Czech national academic network. Additionally, the created flow-based NEMEA modules were deployed in the monitoring infrastructure of CESNET2 network. This dissertation thesis is a collection of author?s works from the areas of the flow-based network monitoring and network security that were elaborated in the last five years. The main feature of all included papers is a so-called stream-wise approach of processing flow data, which is described in this thesis. The stream-wise processing is a suitable principle of security analysis for large-scale computer networks since flow records are being processed on-the-fly when they reach a flow collector. As a proof-of-concept, we have developed an open source NEMEA framework and a set of NEMEA modules for a stream-wise analysis of flow data. There are several included papers in this thesis that show benefits of extended flow records containing information from headers of application protocol (L7). Such extended flow records can increase the reliability of detection algorithms and allow for detection of suspicious traffic that is invisible for traditional flow-based detection methods. The detection modules capable of processing the L7 information are called application-aware. Since the data volume from monitoring systems grows, and it is expected to increase further in the future as well, the next focus of this dissertation thesis is a scalable infrastructure for parallel flow-based analysis. Our experiments show the importance of a correct algorithm for data distribution among multiple computing nodes. Usage of an algorithm that does not respect semantic relations in the flow data has a strong negative influence on the detection results. Therefore, the dissertation thesis shows a method of constructing a proper Flow Scatter that distributes flow data without breaking these semantic relations. Besides the described contributions, there was an extensive experimental evaluation of all works included in the papers. The experiments were performed with data sets from real backbone traffic of Czech national academic network. Additionally, the created flow-based NEMEA modules were deployed in the monitoring infrastructure of CESNET2 network.