This diploma thesis aims to create a system that analyses captured network traffic and detects ongoing attacks. Attacks like ICMP- and DNS-Tunneling, Reverse Shell, and Denial-of-Service are our main focus. Furthermore, a network analysis is planned, which then should be able to differentiate between usual and uncommon traffic based on previously learned patterns. If one of the cases occurs, the suite will generate log entries, which then will be visualized by the web interface.
We’ve never had an automated system for detecting attacks within the school network. With it comes several negative aspects. Examples of such are a cumbersome analysis of relevant information, a delayed reaction to an attack, or maybe even an attack staying undiscovered. For this reason, we’ve resolved ourselves to fix this acute problem.
In addition, the suite is to forward its analyses to a web interface to display results graphically and have a central point of administration.
Thread Traffic Analyses Made Easy
Our suite consists of 5 major parts. The Manager: Coordination of analysers and logging-functionalities The 3 Thread Analysers: Looking for attacks within captured traffic The Networkanalysis: Analysing the traffic and creating statistics
DNS tunneling involves "tunneling" another protocol via DNS. A DNS tunnel can be misused for command and control, data exfiltration, or tunneling other Internet Protocol (IP) traffic.
An ICMP tunnel uses ICMP packets to establish a covert channel between two computers. This can be used, for example, to establish a tunnel for TCP packets by means of ping messages.
HTTPS tunneling is used to establish a network connection between two computers under conditions of limited network connectivity, including firewalls, NATs, and ACLs.
The availability of an (internet-)service is attacked in order to slow it down for other users or to make it completely unavailable.
A reverse connection is a connection to another computer that is used to bypass a firewall. This makes use of the firewall's ability to block incoming connections but not outgoing ones.
The networkanalysis learns from previously captured traffic and generates a baseline. This baseline is later used to determine if newer traffic is unusual and may pose a threat to the network.
APPROXIMATED COMPLETION (%)
LINES OF CODE
This Is Us
Responsible for networkanalysis, detecting unusual traffic and the suite's manager.
Team Leader - Scrum Master
Responsible for detecting several types of tunnels and planning the capturing endpoint of traffic.
TL Assistant - Product Owner
Responsible for detecting Denial-of-Service attacks and creating the webinterface for displaying logs.
Responsible for detecting different types of Reverse Shells and managing our incident database.