izpis_h1_title_alt

Identifikacija in profiliranje orodij pri kibernetskih napadih
ID Zorman, Rok (Author), ID Sedlar, Urban (Mentor) More about this mentor... This link opens in a new window

.pdfPDF - Presentation file, Download (4,76 MB)
MD5: 12604F877EDA39FC3D1A665D3D1C6DF1

Abstract
Področje kibernetske varnosti ima vedno pomembnejšo vlogo, saj se število v internet povezanih naprav, kot tudi število kibernetskih napadov neprestano povečuje. Za spremljanje napadov in obnašanja napadalcev uporabljamo sisteme pasti. Da bi lahko bolje razumeli obnašanje napadalcev, smo se v magistrskem delu posvetili analizi podatkov, ki nastanejo pri uporabi sistema pasti, z namenom identifikacije različnih orodij napadalcev. V teoretičnem delu smo predstavili različne tipe kibernetskih napadov, kot tudi sisteme pasti, ki nam omogočajo spremljanje napadov in njihovo analizo. Predstavili smo izbrana orodja, ki smo jih preizkusil v praktičnem delu naloge, ter nato analizirali pripadajoče ustvarjene dnevnike sistema pasti. Za vsako od predstavljenih orodij smo opisali rezultate analize. Opisali smo značilnosti, ki jih najdemo v posameznih dnevniških datotekah, s pomočjo katerih lahko zaznamo uporabo določenega orodja. Na koncu smo primerjali uspešnost in zanesljivost detekcije posameznih orodij. Preizkusili smo tudi uporabo obsežnih jezikovnih modelov za analizo dnevniških datotek in detekcijo uporabljenih orodij. Rezultate analize z uporabo jezikovnih modelov smo primerjali z rezultati prej opravljene analize. Rezultati analize so pokazali, da lahko uspešno zaznamo orodja, ki napadajo SSH past, to so Hydra, Ncrack, določeni moduli Metasploita in nekateri načini uporabe Nmap. Uspešno zaznamo tudi orodji SQLmap in Nikto. Pri nekaterih načinih iskanja odprtih vrat z orodiji Nmap ter Metasploit ne moremo ločiti med orodji. Najbolj težavno je zaznavanje orodja Wfuzz, kjer smo odkrili le eno značilnost, katero lahko napadalec spremeni ter s tem onemogoči zaznavo.

Language:Slovenian
Keywords:kibernetska varnost, past za napadalce, Kali Linux, Hydra, Metasploit, Ncrack, Nikto, Nmap, SQLmap, Wfuzz
Work type:Master's thesis/paper
Organization:FE - Faculty of Electrical Engineering
Year:2024
PID:20.500.12556/RUL-159630 This link opens in a new window
COBISS.SI-ID:202402051 This link opens in a new window
Publication date in RUL:16.07.2024
Views:266
Downloads:62
Metadata:XML DC-XML DC-RDF
:
Copy citation
Share:Bookmark and Share

Secondary language

Language:English
Title:Identification and profiling of cyber attack tools
Abstract:
Cybersecurity is becoming increasingly more important, as the number of connected devices, as well as the number of cyber attacks continues to rise. We use honeypots to observe the attackers. To better understand their behaviour, the thesis focuses on the analysis of the data generated by the honeypots, with the goal of identifying different tools used by the attackers. In the theoretical part of the thesis we have presented the different kinds of cyber attacks, as well as the system of honeypots used to observe and analyse the attacks. We have presented the selected tools, used in the practical part of the thesis and analysed the corresponding logs, generated by the honeypots. For each of the tools we have presented the results of the analysis. We have presented the characteristics of each tool found in the logs, which can be used to identify their use. Finally, we have compared the success and reliability of detection for each of the tools. We have also tested the use of large language models for log analysis and tool identification. We have compared the results of using large language models with the results of the previous analysis. The results of the analysis show that we can successfully detect the use of tools, which attack the SSH honeypot. These are Hydra, Ncrack, certain Metasploit modules and some options of Nmap. We have also successfully detected SQLmap and Nikto. In some types of port scans we cannot distinguish between uses of Nmap and Metasploit. The most difficult tool to detect was Wfuzz, where we only found one characteristic for detection, which the attacker can change, thus making detection impossible.

Keywords:cybersecurity, honeypot, Kali Linux, Hydra, Metasploit, Ncrack, Nikto, Nmap, SQLmap, Wfuzz

Similar documents

Similar works from RUL:
Similar works from other Slovenian collections:

Back