Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentCYBER project

The project CYBER deals with one of the main subject of defense research and development proposed by Ministry of Defece and Armed Forces of Czech Republic, which is protection of information and communication systems against cyber attacks, so-called Cyber Defence. The Project was realized by Institute of Computer Science and link to a new windowFaculty of Informatics of Masaryk University, Brno in 2008-2012.

Project goals

  • Analysis of up-to-date network threats and corresponding protection against them. We deal with more and more advanced threats in present network environment. One of the project goal is to focus on these threats, analyze them and design possible ways of protection against them.
  • Reaction to security threats. Detection of a particual security threat is just the first but important step need to be done to protect the whole network. In case of particual threat detection a proper reaction has to follow based on the threat type and security policy. The reaction may be just a simple warning sent to the network operator or it may be much more complicated sequence of activities – e.g., blocking of attacker's traffic, change of security policy or even counter-action against the attacker, etc.
  • Validation of advanced network probe utilization in active protection of the computer network. In the CYBER project an advanced network probe FlowMon is being utilized and tested. The probe was originally developed by CESNET (Czech NREN). The probe enables complete monitoring a of 10 Gb/s computer network. We plan to set up the probe in the situations requiring active protection of the computer network against the attacker. The typical task for the probe in active mode is filtering of malicious traffic or a counter-action against the attacker.
  • Industrial utilization of the project results by CIRC of Czech Ministry of Defence and CSIRT-MU is an important part of the project, which brings immediate feedback to the project team. The FlowMon probes are deployed to monitor network traffic in the open environment of Masaryk University and also in the restricted environment of computer network of Czech Army (limited to access and management by CIRC members only).

Achieved results

NetFlow based active network protection

Anomaly detection based on profiles

Detection of time variation in network connections

Analysis and detection of the Chuck Norris botnet

Utilization of external data sources

Efficient NetFlow pairing algorithm

Detection of NAT devices using NetFlow

Detection of brute force attacks on SSH

Results (list of publications)

Project team members

Administrative record of the project