TOBOLÍK, D. Akcelerace systému Suricata prostřednictvím vyhledávacích metadat [online]. Brno: Vysoké učení technické v Brně. Fakulta informačních technologií. 2024.
The student was actively working during the entire duration of the bachelor thesis. Both the textual and practical parts of the thesis are of great quality. The student accomplished all points from the assignment, therefore the student was able to design a pattern-matching component to DPDK Prefilter and utilize this information in Suricata IDS to further accelerate it. I particularly appreciate the detailed evaluation part of the thesis, in which the student had to study the proper testing methods. In the experiments, the student adhered to the evaluation methods, and the experiments were executed with great attention to detail. The student's work has given valuable insight into the domain of pattern-matching accelerated Intrusion Detection Systems and provides a good motivation for further continuation in this domain. I propose an overall evaluation grade of A (Excellent) .
| Kritérium | Známka | Body | Slovní hodnocení |
|---|---|---|---|
| Informace k zadání | The goal of the thesis was to accelerate Suricata using pattern-matching metadata. The assignment was challenging as it required a comprehensive study of the DPDK library, Suricata IDS, and DPDK Prefilter. The student explored the possibilities of pattern matching in network traffic and designed a pattern-matching component for the DPDK Prefilter system. Then the student proposed how metadata can be utilized in Suricata. Implementing the proposed solution and analyzing its results under selected traffic and rulesets required substantial technical expertise. For evaluation, it was required to get acquainted with suitable testing methods for network applications. That included the automation for repeated network measurements, using an advanced traffic generator Cisco TRex, and applying suitable evaluation practices. | ||
| Práce s literaturou | The student independently sought out all necessary study materials. | ||
| Aktivita během řešení, konzultace, komunikace | During the course of the thesis, the student was proactive and regularly consulted with the supervisor. The student was always prepared for the consultations. | ||
| Aktivita při dokončování | The work was completed on schedule. Both the textual and practical parts of the thesis were regularly consulted. | ||
| Publikační činnost, ocenění | No publications were made but the results can serve as a motivation for further advancements in this direction. |
Student tackled a complex assignment and managed to achieve promising results. He designed and implemented his own interesting extension to existing systems. Based on his initial evaluation, the extensions may prove beneficial for general set of pattern match based threat detections. Overall, an excellent (A) achievement for bachelor's thesis.
| Kritérium | Známka | Body | Slovní hodnocení |
|---|---|---|---|
| Náročnost zadání | Assignment deals with a rather complex topic. Before any implementation can be even attempted, a deep understanding of many interconnected parts must be obtained. These include especially Suricata IDS, Hyperscan pattern match engine, DPDK drivers plus Prefilter module. Design and testing a custom extension in such an environment should prove to be also challenging. | ||
| Rozsah splnění požadavků zadání | Author achieved all of the stated objectives. A slight extension to objective 3 is also presented, as 4 different variants of packet metadata are proposed and evaluated. | ||
| Rozsah technické zprávy | The technical report is on the longer side of the required/standard length. | ||
| Prezentační úroveň technické zprávy | 95 | Author provides a thorough overview of the technical background topics (~2/3 of the report) and a clear description of his own contributions built on top of them. The text contains only relevant information in reasonable levels of detail. Continuity of chapters is easy to follow and the reader is guided to logical conclusions made by the author. | |
| Formální úprava technické zprávy | 85 | Technical report is completely written in English of sufficient quality. Some minor language enhancements can be achieved by proof-reading with a native speaker. Typographically, the text is well formatted. Again, only minor imperfections can be pointed out (single word lines i.e. runts, small font size in graph labels, etc.). | |
| Práce s literaturou | 95 | Author uses only relevant primary sources. The number of referenced works is above the standard for bachelor's thesis and would be more in line with master's thesis. | |
| Realizační výstup | 90 | Implementation is realised directly in the open-source repository of the Suricata IDS as individual GIT branches. Code structure and level of comments seems to be consistent with the rest of this repository. A README.md file is provided by the author that clearly highlights the separation of his own extensions from the rest of the code base. It also contains instructions to installation, execution, and testing. All of the results presented in the report can be easily verified/replicated on other data sets as all the testing scripts are provided as well. | |
| Využitelnost výsledků | The work extends an existing and widely-used open-source Suricata IDS. It is also part of the CESNET association's network security research and may be used or further extended in their infrastructure. With some additional testing and evaluation, the achieved results may be presented as a poster on relevant international conference (e.g. SuriCon). |
eVSKP id 154375