Student: Pavel Janata
Abstract: The goal is to research and develop a distributed and federated learning architecture for better protection of computers by training a ML model on network attacks. The work includes the migration of current algorithms into the network security problem, then to research variations or new model to address the specific problems of security, then to implement it inside the Slips IDS system.
Student: Martin Řepa
Abstract: The goal of this thesis is to design and implement a global peer to peer networking system to allow reliable, secure and confidential sharing of distributed threat intelligence data using the libp2p project. Unlike standard P2P networks, the system will allow peers to be members of trusted groups to minimise the risk of being targeted by malicious actors.
Messaging protocols shall be designed along with peer discovery and peer routing techniques while utilising peers’ reliability which is assumed to be dynamically computed by a blackbox trust model. The work will incorporate theoretical discussion and if possible practical experiments about its mitigation of known P2P network attacks. Finally, the implementation will be integrated into Stratosphere Linux intrusion prevention system (SLIPS) to allow sharing data with other SLIPS instances.
Student: Ondřej Bouček
Abstract: The goal of this thesis is to test whether it is possible to detect the distribution of computational propaganda by tracking the spread of an article through the Internet. The student will develop and improve the searching tool developed by Stratosphere Laboratory to find which web pages are linking and referencing an article. Then a graph representation of an article distribution found by the searching tool will be created. Next, he must collect a data set of propaganda and non-propaganda URLs. Lastly, the student shall develop various machine learning models to test whether it is possible to detect propaganda using the graph representation approach.
Student: Lukas Forst
Abstract: The goal is to design and implement a trust model for distributed multi-agent environments of intrusion prevention systems (IPS). One IPS is the Stratosphere Linux IPS (Slips)[6] which will have a globally distributed peer-to-peer system. With this capability and the fact that peer-to-peer systems are permission-less, Slips determines how much can trust the data from other peers. We aim to solve this challenge and design and implement a trust model as a Slips module. The trust model should be able to evaluate the behavior of other Slips agents (which can also be acting as malicious actors) in a global peer-to-peer data sharing network and compute a trust value. The question that we want to answer is “how much can the local system trust the data coming from the said global peer?”.
The student will analyze different trust models and options to attack them. A new trust model that uses data from Slips will be proposed, and its performance will be evaluated. Finally, the model will be implemented as a module inside Slips and will enable sharing said network data with other nodes running Slips.
The rise in popularity and the large amount of improvements done to Machine Learning (ML) resulted in the emergence of a new type of attack called model extraction attack. Model extraction attacks are privacy attacks, which aim to extract information about a victim model or even steal its functionality. These types of attacks are being heavily researched, however, it is very hard to perform comparisons between the proposed papers. In this work, we present MET, which implements state-of-the-art model extraction attacks on arbitrary ML models and datasets. Using the tool, we performed a comprehensive comparison between the implemented attacks to see how they perform under different settings. Our results show that in the case of black-box scenarios, the attacks perform similarly. Based on the results, we propose and implement improvements for some of the attacks both in terms of speed and performance.
Url: https://dspace.cvut.cz/handle/10467/95288
Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.
Active Directory (AD) is a crucial element of large organizations, given its central role in managing access to resources. However, since AD is used by all users in the organization, it is hard to detect attackers. We propose to generate and place fake users (honeyusers) in AD structures to help detect attacks. However, not any honeyuser will attract attackers. Our method generates honeyusers with a Variational Autoencoder that enriches the AD structure with well-positioned honeyusers. Our model first learns the embeddings of the original nodes and edges in the AD, then it uses a modified Bidirectional DAG-RNN to encode the parameters of the probability distribution of the latent space of node representations. Finally, it samples nodes from this distribution and uses an MLP to decide where the nodes are connected. The model was first evaluated by the similarity of the generated AD with the original AD, second by the positions of the new nodes, and finally making real intruders attack the AD structure enriched with honeyusers to see if they selected the honeyusers. Results show that our machine learning model is good enough to generate well-placed honeyusers for existing AD structures so that intruders are lured into them.
Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.
The goal of this work is to propose a protocol for sharing data in a decentralized network of peers, where each node gains reputation for their actions. Information from nodes with low reputation may be discarded, while nodes with high reputation will be heard. This serves as a protection, because malicious nodes would first have to gain trust of the network before they could affect it.
There are multiple approaches to compute reputation, but they rely mostly on adherence to the protocol, uptime and other simple features. The trust model used by the Sality botnet simply measures how many “good” interactions a node had with its neighbor. There are numerous attacks that an adversary can use to gain trust of the network. In this thesis, the trust model will not only use data from the protocol itself, but also network monitoring and statistics provided by SLIPS. We will analyze different trust models and options to attack them. A new trust model that uses data from SLIPS will be proposed, and its performance will be evaluated. Finally, the model will be implemented as a module inside SLIPS, and will enable sharing said network data with other nodes running SLIPS.
Civil society members face threats not only in the physical world but in cyberspace. Their critical work leaves them in a permanent risk of surveillance and abuse. Mobile phones are vital for their activities, however these are often vastly unprotected. The lack of a standardized method to measure and analyze these risks hinders the efforts to protect them. The Civilsphere Project at the Czech Technical University in Prague created the Emergency VPN (EVPN) to help civil workers at risk. This free service helps discover data leaks or malware infections through network traffic analysis of mo- bile devices. The goal of this thesis is to create the first standardized risk measurement score for mobile phones at risk. In order to do so we processed 65 packet captures from the civil society along with the manual assessment reports done by Civilsphere analysts, creating a unique dataset suitable for further analysis. We assessed data leaked from mobile devices to identify potential risks and security threats. We developed a new method to standardize the severity rating and created a metric describing the nature of the reported data leaks. While none of the analyzed devices showed indications of malware presence, we discovered that they leak a lot of data that puts the civil workers at risk, most commonly the user’s location.
Bachelor Thesis
This thesis proposes to design, implement and test a machine learning improvement of Stratosphere IPS which aggregates the partial detections of hosts and classifies them using the XGBoost algorithm to improve the overall performance of the tool. Our method is based on an additional layer of abstraction called Source Address layer which collects the partial data and pre-processes it or the classifier. Compared to the first version of Stratosphere IPS proposed extension results in 40% increase in accuracy and 26% improvement in the False Positive rate.
Master Thesis
The precise identification of users in the network at different moments in time is a well known and difficult problem. Identifying users by their actions (and not their IP addresses) allows administrators to apply policy controls on users, to find intruders that are impersonating legitimate users, and to find anomalous user behaviors that could be due to malware infections. More importantly, the behavioral analysis of users actions raises important moral questions about the power to identify users in unknown networks. This thesis explores this question by trying to identify users by converting the user's behavior into user's profiles. These profiles are time-dependent and they have dozen of features.
Bachelor Thesis
There are many malware families and every each of them has some unique features. The aim of this work is to focus on detecting malicious behavior using leaving network communication. Our hypothesis is that this malicious communication has sequential behavioral patterns. We present a new graph representation of leaving network communication using (IP address, port, protocol)-triplets as vertices.
Master Thesis
This project has two primary goals: First, to help analysts by means of a web interface, in evaluating the weblogs to better find and process the information. Second, to create a machine learning method that can identify domains which share some similarity in their WHOIS Information. Our algorithm can work as a WHOIS classification of similar domains also called WHOIS similarity distance. The conclusions of our research are: First, ManaTI can increase the speed of the security analysts by a factor of 3.4. Second, the WHOIS information of related domains has quantifiable similarities that make possible an accurate comparison. Third, there are WHOIS fields which are more important for relating domains than others. Finally, the accuracy of finding related domains using a linear model classifier based on the WHOIS Similarity Distance algorithm is around 98%.
Master Thesis
Detecting malware and attacks by analyzing network traffic remains a challenge. Although there are several well-known detection mechanisms to accurately separate the malicious behavior of the normal, it is still extremely difficult to have a detection system that can handle all the situations that arise in the network. These known algorithms include machine learning techniques, static signatures and rules based on experience. In particular, the method most used today is based on the contribution of rules by a large community of analysts. The most important impediments to good detection are that: First, normal traffic is extremely complex, diverse and changing. Second, malicious actions change continuously, adapting, migrating and hiding as normal traffic. Third, the amount of data to analyze is huge, forcing analysts to lose data in favor of speed. And fourth, detection must occur in near real time to be of some use.
Master Thesis
In the last five year the prevalence of IoT devices opened the door to a myriad of different attacks on unprotected home devices. These devices came from the factory with several vulnerabilities that can not be fixed without replacing the device. The most used protocol for this IoT devices is the Telnet protocol. However, there does not exist any tool or research or methodology to protect the devices by studying the Telnet protocol.
The goal of this master's thesis is to study botnets as HPC systems to demonstrate that they can resolve similar problems. To achieve this objective, the characteristics of a traditional HPC system and those of a botnet will be measured to compare them. To perform the comparative analysis of the thesis, the study of a botnet called Geost that was discovered in the Stratosphere laboratory will be carried out.
Master Thesis
The great majority of attacks, including targeted attacks, start with a link in an email or chat. When you don't have time to check or you don't know how to check it, should you click on it or not? Malicious websites can be used for phishing, exploits, crypto mining, or drive-by downloads and they are difficult to detect. Meet www.shouldiclick.org
Master Thesis
This thesis aims to solve the problem of identification and classification of botnets using the IRC protocol. In the last years, IRC has been used again as the main Command and Control protocol for Iot botnets. IRC is an old and well known protocol, but it has not been studied for IoT malware. The study of IRC is complex since it can work as a centralized protocol, or a peer-to-peer protocol. The goal of the thesis is to analyse malicious IRC communication and normal IRC communications in order to learn how to classify them.
