Projects - User contributions [en]

Projects:2016s1-160b Cyber Security - e-Government and Network Security

2016-04-04T10:30:02Z

A1628217: /* Using Internet Protocol Packet Visualization to support debriefing */

== Using Internet Protocol Packet Visualization to support debriefing ==
'''Group members:''' Johann David Krister Andersson 
'''Supervisor:''' Dr. Matthew Sorell 
'''Description:''' 
NATO's Operation Locked Shields (LS) is a yearly network defence exercise which aims to test and train network security professionals. The after action debriefing are challenging as it is difficult to explain how exactly an attack occurred without looking at Internet Protocol packet flows. It has been proposed to use packet visualization techniques to support the debriefing, however, existing visualization tools lack important features such as IPv4 and IPv6 hybrid support and application layer support. The present study aims to provide recommendations for upgrades and changes to existing tools that are needed for them to be used to support debriefing. 
'''Introduction:''' 
Public facing networks are likely under regular attack and attacks are constantly evolving. Several existing packet visualization tools exist. For example, Okada proposes a 2Dto2D method that displays packet captures over time by source and destination address and port. Muelder describes a layered method. On the highest layer a statistic is shown over the whole packet capture interval such as connections per port. This layer is intended to be used to pick a particular time for further investigation. The second layer breaks down the statistic by ports which is intended to be used to pick a particular port for investigation and the third layer shows various statistics for
the selected port. 
These methods were developed for the purpose of attack forensics. For example, Okada's method is useful for detecting DoS, DDoS, port scanning and covert communication channels. However, these tools are not developed for the purpose of debriefing which requires additional features, not all of which are relevant to network forensics. Particularly challenging, and chronically under supported by existing tools, are attacks on networks with transition mechanisms. These attacks take advantage of the transition methods implemented to support the transition from IPv4 to IPv6, such as flood router6 and Smurf6. For debriefing it is also important to filter out irrelevant packets. For example, during the LS exercise background traffic is generated to hide malicious traffic, as would be expected during network security events outside of defence exercises. However, during debriefing background traffic is unwanted noise that should be filtered out. Existing tools focus on the lower level of the Internet stack, particularly on the network layer. However, attacks, such as those on outdated browser version such as CVE-2014-1510 and CVE-2014-1511, occur at the application layer. 
The present study aims to review several existing tools in the context of post defence exercise debriefing. The needs of the debriefing and the attacks used during the defence exercise will be discussed with several professional from Tallinn University of Technology and NATO who are involved in the LS exercise. Of particular focus is the extension of existing tools to support the analysis of attacks on networks in transition, adding support for the application layer and investigating filtering methods to reduce noise. Additionally the attack methods specified in the after action report will be reviewed and recommendations for visualization methods that explain how these attacks take place will be made to support the LS exercise in 2017. 
'''Progress report:''' 
Complete document: [https://www.dropbox.com/s/wxe19gd8s9r4szo/Progress%20Report%20David.docx?dl=1]

Projects:2016s1-160b Cyber Security - e-Government and Network Security

2016-04-04T10:27:19Z

A1628217: Created page with " == Using Internet Protocol Packet Visualization to support debriefing == '''Group members:''' Johann David Krister Andersson '''Supervisor:''' Dr. Matthew Sorell ..."

== Using Internet Protocol Packet Visualization to support debriefing ==
'''Group members:''' Johann David Krister Andersson 
'''Supervisor:''' Dr. Matthew Sorell 
'''Description:''' 
NATO's Operation Locked Shields (LS) is a yearly network defence exercise which aims to test and train network security professionals. The after action debriefing are challenging as it is difficult to explain how exactly an attack occurred without looking at Internet Protocol packet flows. It has been proposed to use packet visualization techniques to support the debriefing, however, existing visualization tools lack important features such as IPv4 and IPv6 hybrid support and application layer support. The present study aims to provide recommendations for upgrades and changes to existing tools that are needed for them to be used to support debriefing. 
'''Introduction:''' 
Public facing networks are likely under regular attack and attacks are constantly evolving. Several existing packet visualization tools exist. For example, Okada proposes a 2Dto2D method that displays packet captures over time by source and destination address and port. Muelder describes a layered method. On the highest layer a statistic is shown over the whole packet capture interval such as connections per port. This layer is intended to be used to pick a particular time for further investigation. The second layer breaks down the statistic by ports which is intended to be used to pick a particular port for investigation and the third layer shows various statistics for
the selected port. 
These methods were developed for the purpose of attack forensics. For example, Okada's method is useful for detecting DoS, DDoS, port scanning and covert communication channels. However, these tools are not developed for the purpose of debriefing which requires additional features, not all of which are relevant to network forensics. Particularly challenging, and chronically under supported by existing tools, are attacks on networks with transition mechanisms. These attacks take advantage of the transition methods implemented to support the transition from IPv4 to IPv6, such as flood router6 and Smurf6. For debriefing it is also important to filter out irrelevant packets. For example, during the LS exercise background traffic is generated to hide malicious traffic, as would be expected during network security events outside of defence exercises. However, during debriefing background traffic is unwanted noise that should be filtered out. Existing tools focus on the lower level of the Internet stack, particularly on the network layer. However, attacks, such as those on outdated browser version such as CVE-2014-1510 and CVE-2014-1511, occur at the application layer. 
The present study aims to review several existing tools in the context of post defence exercise debriefing. The needs of the debriefing and the attacks used during the defence exercise will be discussed with several professional from Tallinn University of Technology and NATO who are involved in the LS exercise. Of particular focus is the extension of existing tools to support the analysis of attacks on networks in transition, adding support for the application layer and investigating filtering methods to reduce noise. Additionally the attack methods specified in the after action report will be reviewed and recommendations for visualization methods that explain how these attacks take place will be made to support the LS exercise in 2017. 
'''Progress report:''' 
Complete document: [https://www.dropbox.com/s/wxe19gd8s9r4szo/Progress%20Report%20David.docx?dl=1]

Projects:2016s1-160 Cyber Security - in collaboration with Tallinn University of Technology

2016-04-03T06:46:26Z

A1628217:

There are 9 researchers in this project group each of which is doing their own projects. 

'''David Andersson - Applying Internet Protocol Packet Visualization to Debriefing''' 
Project supervisor: Matthew Sorell 
Aims: The aim of the study is to make recommendations about how Internet Protocol packet visualization can be used to support the debriefing of the Locked Shields NATO defence exercise. To achieve this existing packet visualization methods, such as those discussed in the literature review, will be reviewed to determine what types of attacks specified in the Locked Shields NATO defence exercise 2015 report may be gainfully visualized using the methods. Additionally, recommendations will be made to improve the existing visualization methods, specifically to help network security professional understand the presented data more easily. For those attack types that cannot be usefully visualized using existing methods the required changes and upgrades to the existing tools will be explored. A particular focus will be how attacks that exploit the IPv4 to IPv6 transition mechanisms and application layer attacks can be visualized. 
Full proposal: [https://www.dropbox.com/s/hk1katzfwxjpojm/Proposal.pdf?dl=1]

Projects:2016s1-160 Cyber Security - in collaboration with Tallinn University of Technology

2016-04-03T06:45:28Z

A1628217:

There are 9 researchers in this project group each of which are doing their own projects. 

'''David Andersson - Applying Internet Protocol Packet Visualization to Debriefing''' 
Project supervisor: Matthew Sorell 
Aims: The aim of the study is to make recommendations about how Internet Protocol packet visualization can be used to support the debriefing of the Locked Shields NATO defence exercise. To achieve this existing packet visualization methods, such as those discussed in the literature review, will be reviewed to determine what types of attacks specified in the Locked Shields NATO defence exercise 2015 report may be gainfully visualized using the methods. Additionally, recommendations will be made to improve the existing visualization methods, specifically to help network security professional understand the presented data more easily. For those attack types that cannot be usefully visualized using existing methods the required changes and upgrades to the existing tools will be explored. A particular focus will be how attacks that exploit the IPv4 to IPv6 transition mechanisms and application layer attacks can be visualized. 
Full proposal: [https://www.dropbox.com/s/hk1katzfwxjpojm/Proposal.pdf?dl=1]

Projects:2016s1-160 Cyber Security - in collaboration with Tallinn University of Technology

2016-04-03T06:39:52Z

A1628217: Created page with "There are 9 researchers in this project group each of which are doing their own projects. '''David Andersson - Applying Internet Protocol Packet Visualization to Debriefi..."