Publication Details
Automating Network Security Analysis at Packet-level by using Rule-based Engine
Ryšavý Ondřej, doc. Ing., Ph.D. (DIFS FIT BUT)
Dudek Jindřich, Ing. (FIT BUT)
Network security, network monitoring, anomaly detection, threat detection, network forensics
When a network incident is detected, a network administrator has to manually verify the incident and provide a solution to stop the incident from continuing and prevent similar incidents in the future. The network analysis is a time-consuming and labor-intensive activity which requires good network knowledge. Creating a solution which automates the administrator's work can dramatically speed up the analysis process and can make the whole process easier for less experienced administrators. In this paper, we describe a method that uses a predefined set of rules to identify incident patterns. Though this principle is used by many security tools, the new aspect is that the presented approach uses the Wireshark tool which is well known among the administrators, and it is expressive enough to specify complex relations among source data thus being able to detect quite sophisticated attacks. The created rule's format uses the same language as the Wireshark filters.
When a network incident is detected, a network administrator has to manually verify the incident and provide a solution to stop the incident from continuing and prevent similar incidents in the future. The network analysis is a time-consuming and labor-intensive activity which requires good network knowledge. Creating a solution which automates the administrator's work can dramatically speed up the analysis process and can make the whole process easier for less experienced administrators. In this paper, we describe a method that uses a predefined set of rules to identify incident patterns. Though this principle is used by many security tools, the new aspect is that the presented approach uses the Wireshark tool which is well known among the administrators, and it is expressive enough to specify complex relations among source data thus being able to detect quite sophisticated attacks. The created rule's format uses the same language as the Wireshark filters.
@INPROCEEDINGS{FITPUB12011, author = "Martin Holkovi\v{c} and Ond\v{r}ej Ry\v{s}av\'{y} and Jind\v{r}ich Dudek", title = "Automating Network Security Analysis at Packet-level by using Rule-based Engine", pages = "1--8", booktitle = "Proceedings of the Sixth European Conference on the Engineering of Computer-Based Systems", year = 2019, location = "Bucharest, RO", publisher = "Association for Computing Machinery", ISBN = "978-1-4503-7636-5", doi = "10.1145/3352700.3352714", language = "english", url = "https://www.fit.vut.cz/research/publication/12011" }