Research
We develop and evaluate a pipeline for extracting and analysing observations from network traffic, using state of the art machine learning and deep learning algorithms to recognise malicious patterns in network communication, without the need for static detection rules. The evaluation is conducted on the CIC-IDS-2018 dataset, a modern and large scale scenario that includes multiple common attack classes inside a multi- department corporate network infrastructure hosted on AWS. Our experiments seek to evaluate the detection performance of various algorithms, as well as the impact of different model parameters, to determine which delivers the highest value for security threat analysts. For this purpose, we compare the results of binary classification, to more fine grained multi-class attack classification, and investigate the possibility of knowledge transfer between network topologies as well as limitations for real-world deployment of anomaly- and classification-based network intrusion detection systems.
We develop and evaluate a structured and purely passive approach to the identification of vulnerable software observed on the network, to allow for undetected reconnaissance of a penetration tester during lateral movement inside a monitored corporate network environment. Several techniques for application identification are available nowadays, but no publicly available solution exists that makes use of them in combination, in order to identify known vulnerable software in a passive and automated fashion. Our solution makes use of several well established techniques for application identification and combines them with fingerprinting strategies to identify services that make use of encryption or cannot be identified otherwise. To serve the resulting data to the penetration tester and enable fast contextual analysis, we utilize the popular open source intelligence software Maltego. The efficiency of our approach is evaluated in the context of a case study, where we apply it during the lateral movement of a penetration tester through a monitored company intranet.
In this paper we develop and evaluate a graphical link analysis based approach to forensic network traffic investigation, that accelerates incident response and simplifies communication to non-expert users. Traditional tooling is mostly targeted towards expert personnel, and visual representation of extracted information is hard to grasp for other user groups. Our solution overcomes this limitation by combining in-depth protocol analysis with device profiling and visualizing the results within the popular open source intelligence software Maltego. We evaluate the efficiency of the developed approach in form of a case study, by using it for the investigation of a series of network breaches within a small corporate network environment.
This research project evaluates an approach to network intrusion detection inside of a modern water treatment facility, using machine learning to model normal traffic behaviour and test the classification on 36 different recorded attacks. A deep neural network with sequential dense layers is compared to a configuration with Long Short Term Memory (LSTM) layers, performing classification on the packet-based network traces and alerting if an attack could be identified. We demonstrate that this approach can be used to identify malicious behaviour within industrial networks with a high success rate, indicate performance implications and discuss applicability and challenges in deployment.
Virtualization has become a driving technology be- hind hosting services, allowing providers to offer isolated virtual machines to customers, while executing hundreds of them on the same physical hardware. In order to support serverless applications and provide startup times close to containers, a small virtual machine type called microVM is becoming increasingly popular. microVMs use a slimmed down Linux kernel and offer a minimal legacy device model to achieve fast boot times and a small memory footprint. We analyze the performance of the only two hypervisors that currently implement the microVM machine type: Firecracker and QEMU. To create meaningful benchmarks, we evaluate the two solutions in the context of real usage scenarios. Our results indicate that Firecracker outperforms QEMU’s microVM implementation in terms of kernel boot time, and scales better when running multiple microVMs concurrently.
In this paper we present REVCON, a web service to map enterprise networks that are secured by a stateful firewall, using reverse parasitic tracerouting. Reconnaissance is a key aspect in maintaining access to a compromised network, as intelligence gathered in advance about the target network will reduce the amount of noise that an attacker creates during lateral movement. Intermediate nodes along the path through an internal network are of great interest for an attacker, as they forward traffic from various devices. Penetrating these intermediate hops and sniffing traffic will likely yield user credentials, authorization tokens and other confidential information. After being contacted by a victim from the inside of a protected network, the service will inject probing packets into the connection. Analogously to the traceroute concept, these probes start with a low Time To Live (TTL) value and get incremented for each hop, while the service is listening for Internet Control Message Protocol (ICMP) TTL Expired error messages from intermediate devices. We demonstrate that this technique is a threat especially for IPv6 networks and that it can be used to gather multiple paths through load balanced network environments.
Corporate communication networks are frequently attacked with sophisticated and previously unseen malware or insider threats, which makes advanced defense mechanisms such as anomaly based intrusion detection systems necessary, to detect, alert and respond to security incidents. Both signature-based and anomaly detection strategies rely on features extracted from the network traffic, which requires secure and extensible collection strategies that make use of modern multi core architectures. Available solutions are written in low level system programming languages that require manual memory management, and suffer from frequent vulnerabilities that allow a remote attacker to disable or compromise the network monitor. Others have not been designed with the purpose of research in mind and lack in terms of flexibility and data availability. To tackle these problems and ease future experiments with anomaly based detection techniques, a research framework for collecting traffic features implemented in a memory-safe language will be presented. It provides access to network traffic as type-safe structured data, either for specific protocols or custom abstractions, by generating audit records in a platform neutral format. To reduce storage space, the output is compressed by default. The approach is entirely implemented in the Go programming language, has a concurrent design, is easily extensible and can be used for live capture from a network interface or with PCAP and PCAPNG dumpfiles. Furthermore the framework offers functionality for the creation of labeled datasets, targeting application in supervised machine learning. To demonstrate the developed tooling, a series of experiments is conducted, on classifying malicious behavior in the CIC-IDS-2017 dataset, using Tensorflow and a Deep Neural Network.