We are day by day increasingly dependent on the Internet. Among the developed countries, Internet usage is pervasive. We are connected at work and at home, and we browse the latest news on our phone. Moreover, the Internet is the virtual space in which we are nowadays used to manage our money and our personal data. We depend on the Internet not only at the personal level. Internet is by now such a ubiquitous technology that almost any company, university, governmental organization, or, even, critical infrastructure such as power plants or water treatment plants, are globally connected.
However, more and more often, the Internet is also attracting the attention of less well-intentioned users. The number of attacks on current networks is constantly increasing and the time in which hacking was an activity for a small elite is by now far away. An example, to which the press has given large space, is the recent series of attacks launched by Wikileaks detractors and sympathizers, between November and December 2010. In the Netherlands, we name the recent case of Rabobank, where customers could not access their online banking for several hours. Moreover, in recent years, we became aware of the emerging threats targeting critical infrastructures. Stuxnet is a clear example: a worm probably engineered to attack uranium enrichment facilities.
Our goal at the DACS group is to understand how such attacks (or, more generally, “anomalies”) look like on the network level, that is, how they affect the state and the behaviour of the network. Our approach is fundamentally based on network measurements. All our activities incorporate the collection and analysis of real network information, as obtained from packet traces, Honeypots logs, and network flows.
Especially network flows play an important role in our research. They allow to aggregate traffic information in order to reduce the amount of data to be analyzed. We can in this way monitor network traffic with speed of 1-10Gbps, where the traditional way of packet monitoring is almost unfeasible. A flow is comparable to a letter in a closed envelope: we know its weight and we can tell who the sender and the receiver are, but we don’t know the contents of the letter. Of course, this generates additional challenges for the monitoring and analysis process.
We offer a wide range of topics for student assignments in the areas of network security and network measurements. Possible topics of interest are:
- Creating flow-based signatures of worms using Honeypots
- Detection of SPAM mail
- Identification of malicious (sub-)networks in the Internet (“Bad Neighborhoods”)
- Detection of malicious activities in critical infrastructure networks (SCADA)
- Modeling of normal and malicious network traffic
- Estimation of bandwidth requirements based on flow measurements