Security of information and communication systems, on-line monitoring, visualization and packet filtration (CYBER)


In the time of its fulfilling, the CYBER project was one of the main priorities of defense research and development of the Ministry of Defence, which is the protection of information and communication systems against cyber attack, so-called Cyber Defence. The project included analysis of cyber threats, the methodologies were designed and testing within opened and closed computer networks took place. Thanks to the project, the important botnet Chuck Norris was discovered.

Motivation

We are constantly facing more and more advanced cyber threats in modern computer networks, and those threats are using yet still more advanced technologies. Because of that, we were focusing on a detailed analysis of many types of cyber threats (patterns of performance). We created a huge knowledge base enabling to prepare methodologies with specific procedures of automatic reactions on cyber threats. 

Based on the type of threat and security policy, this reaction can be just notification to the network operator, but it can also be a more complex chain of events including blocking the network on an attackers side or change of security policies within the network or counteraction against the attacker. For data network protection, we were researching possibilities of using advanced network probe.

Technology and specifics

    • Investigating uses possibilities of advanced network probe for active protection of data network 
      We were testing advanced network probe FlowMon developed by CESNET association. Thanks to the probe, we were able to fully monitor computer network even at 10Gb/s speed. We put the probe in a situation requiring active protection of computer network against an attacker (e. g. filtering harmful traffic containing the attack itself or causing counteractions against the attacker).
    • Detection of anomalies based on changes in patterns of performance
      Patterns of performance mirror complex information about computers and other devices connected to network behavior. Aggregation of NetFlow data in regular time intervals is capable of gaining profiles character of time series. On those series, a statistic method can be applied and then it can be detected anomalies and deviations from expected computer performance and other devices communicating through the network. We created software using a tool called nfdump, through which were creating profiles of performance and in the form of time series were transmitted for system R analysis. 
  • Practical using and deploying outcomes of the project by CSIRT-MU and CIRC MO teams
    We tested the network probe on an open computer network (Masaryk University) and on a close computer network (Ministry of Defence, under CIRC MO representative´s control). Both gave us direct feedback on current research results. 

Achievements

In 2009, the botnet Chuck Norris was discovered at the Masaryk University. This harmful software targeted on devices running on Linux system with MIPS processors (e. g. ADSL modems). It was attacking network infrastructure and for this reason, it could not be detected by common antivirus programmes, therefore it was able to gain access to network traffic of all users from the attacked network. 

But we achieved many more interesting results within CYBER project. We developed a detection tool called cndet (NetFlow plugin of NfSen collector), which could reveal parts of botnet through collected data in a local network and through detection performance patterns.

We focused on the classification of external data resources (publicly accessible and dependent on organization), which contains information about devices within the network. That information helps with investigation security incident or with analysis of network activities. 

We also developed an efficient algorithm for automatic pairing unidirectional flows. NetFlow data contain just information from one direction of communication (server, client), which makes two separate flows. Bounding communication pairs has accelerated our solution by several orders. It can be used for example for profiling network devices, elimination of noise in aggregated statistics in form of unpaired flows, simplifying detection of network anomalies or removal of operational problems.

IDENTIFICATION CODE

OVMASUN200801