Background
The Leibniz Supercomputing Centre of the Bavarian Academy of Sciences and Humanities (LRZ) operates the Munich Scientific Network (MWN). The MWN consists of a backbone network with routers and switches for connecting the networks of the institutions at the various locations. In order to operate and maintain the network, certain network security monitoring tools are in place. The current systems could be expanded by implementing another type of network security monitor called Zeek.
Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system. Analyzing the network traffic in real-time is no easy task and requires a lot of processing power. To overcome this challenge, we require a distributed Zeek sensor architecture to be implemented that comes with its own challenges (management of individual sensors, configuration updates, etc.).
The outcome of this thesis should be a concept and prototypical implementation of a distributed network security monitor using Zeek with additional threat analytics (e.g. RITA https://github.com/activecm/rita) that can be part of the greater security monitoring at LRZ.
Outline of this work:
Aufgabensteller: Prof. Dr. Helmut Reiser
Prerequisites:
Dauer der Diplomarbeit bzw. der Masterarbeit: gemäß Studienordnung
Anzahl Bearbeiter: 1
Supervisor: