Title Sustav za sigurnosni nadzor i obranu mreže zasnovan na alatima otvorenog koda Title (english) Network security monitoring and defense system based on open source tools Author Filip Pavelić Mentor Željko Ilić (mentor)Committee member Željko Ilić (predsjednik povjerenstva)Committee member Gordan Šišul (član povjerenstva)Committee member Marin Šilić (član povjerenstva)Granter University of Zagreb Defense date and country 2019-07-08, Croatia Scientific / art field, TECHNICAL SCIENCES Scientific / art field, TECHNICAL SCIENCES Abstract Suvremeni NSM ciklus sastoji se od tri faze: prikupljanje podataka, otkrivanje malwarea i analiza malwarea. U fazi prikupljanja je bitno definirati arhitekturu mreže kako bi se mogli učinkovito postaviti uređaji i sustavi za prikupljanje podataka. U slučaju lošeg postavljanja, moguće je izgubiti spoznaju o tome tko i kako komunicira unutar mreže. Također, potrebno je poznavati statistiku mrežnog prometa kako bi se mogao učinkovito postaviti sustav za prikupljanje podataka tj. koji bi mogao podnijeti zadano mrežno opterećenje. U fazi otkrivanja malwarea je potrebno dobro definirati vektore ulaza kako bi se alati za detekciju mogli sukladno prilagoditi. Uobičajene tehnike detekcije malwarea su zasnovane na nekoj vrsti potpisa koda, anomalije ili na statističkom odstupanju ponašanja u sustavu. Popularniji softverski paketi otvorenog koda za detekciju su Snort, Suricata i Zeek IDS. Najbolja praksa za nadzor mreže bi uključivala instancu Suricate za brzo prepoznavanje poznatih prijetnji, u kombinaciji sa Zeek IDS-om za rukovanje podacima koji osiguravaju kontekst potreban za prikladniji prikaz upozorenja. Pomoću Zeeka je moguće saznati koje je ponašanje dovelo do incidenta i što se dogodilo nakon incidenta. Analiza malwarea je završna faza ciklusa
NSM-a. Analiza malwarea može biti statička i dinamička. Statička analiza je brža i manje rizična od dinamičke analize. Brža je jer ne postoje posebni uvjeti za analizu malwarea i datoteka se ne pokreće, ali daje lošije rezultate. Antivirusni alati većinom koriste statičku analizu i zbog toga nisu pouzdani u otkrivanju novih malwarea. U radu je iskorišten ClamAV antivirusni alat, otvorenog koda zbog provjere datoteka na već poznate zlonamjerne datoteke. Dinamička analiza malwarea se izvodi promatranjem ponašanja potencijalno maliciozne datoteke dok je pokrenuta. Ovaj oblik analize se najčešće provodi u zaštićenom okruženju kako bi se spriječila infekcija sustava. Dodatna dinamička analiza datoteka je ostvarena pomoću Cuckoo sandboxa. NSM rješava problem nadgledanja stanja na mreži, ali ne i na krajnjim točkama mreže. Svaki uređaj na mreži stvara svoje sigurnosne dnevnike i izjavljuje o događajima. SIEM sustav objedinjuje podatke o događajima koje proizvode sigurnosni uređaji, mrežna infrastruktura itd. Zato je u ovom radu iskorištena Linux distribucija Security Onion koja sadržava navedene NSM alate te ima funkcionalnosti SIEM sustava izgrađenih oko grupe proizvoda Elastic Stack. Datoteke koje kolaju unutar mreže se izvlače pomoću Zeeka, te se šalju na analizu u ClamAV i Cuckoo sandbox. Podaci o datotekama se objedinjuju i obogaćuju koristeći programe iz Elastic Stacka.
Abstract (english) The modern NSM cycle consists of three phases: data collection, malware detection, and malware analysis. In the collection phase, it is essential to define the network architecture in order to efficiently set up devices and systems for data collection. In the case of poor setup, it is possible to lose the knowledge of who and how communicated within the network. Also, it is necessary to know network traffic statistics in order to efficiently set up a data collection system that would be able to withstand network load. In malware detection phase, it is necessary to define well the input vectors in order to adapt the detection tools accordingly. Common malware detection techniques are based on some type of code signature, anomaly, or statistical behavior deviation in the system. Some of the most popular open source detection systems are Snort, Suricata, and Zeek IDS. The best network monitoring practice would include Suricate instance for quick recognition of known threats, combined with Zeek IDS data handling, providing the context needed for a more adequate alerting. With Zeek, it is possible to find out what behavior caused the incident and what happened after the incident. Malware analysis is the final phase of the NSM cycle. Malware analysis can be static and dynamic. Static analysis is faster and less risky than dynamic analysis. It's faster because there are no special conditions for malware analysis, and the file isnt run, but it does have worse results. Antivirus tools mostly use static analysis and are therefore not reliable in detecting new malware. The ClamAV Antivirus Tool was used in this paper for its ability to check files on known malicious files. Dynamic malware analysis is performed by observing potentially malicious file behavior while it is running. This form of analysis is most often carried out in a protected environment to prevent system infections. An additional dynamic file analysis is achieved using the Cuckoo sandbox. NSM solves the problem of network monitoring, but not at the endpoints of the network. Each network device creates its security logs and reports events. The SIEM system combines event dana from security devices, network infrastructure, etc. Which is why the Security Onion Linux distribution was used. Secuirty Onion contains NSM tools that have been utilized in this paper and features the functionality of the SIEM system built around the Elastic Stack core. Files that run within the network are extracted using Zeek, and are sent for analysis to ClamAV and Cuckoo sandbox. File data is unified and enriched using Elastic Stack programs.
Keywords
analiza malwarea
NSM
SIEM
Cuckoo sandbox
Security Onion
ClamAV
Keywords (english)
malware analysis
NSM
SIEM
Cuckoo sandbox
Security Onion
ClamAV
Language croatian URN:NBN urn:nbn:hr:168:778288 Study programme Title: Information and Communication Technology Type of resource Text File origin Born digital Access conditions Closed access Terms of use Public note Created on 2020-01-07 20:59:11
