Informationssystem der Friedrich-Alexander-Universität Erlangen-Nürnberg © Config eG 
FAU Logo
  Sammlung/Stundenplan    Modulbelegung Home  |  Rechtliches  |  Kontakt  |  Hilfe    
Suche:      Semester:   
   Räume   Forschungs-
   Telefon &

Einrichtungen >> Technische Fakultät (TF) >> Department Informatik (INF) >> Lehrstuhl für Informatik 7 (Rechnernetze und Kommunikationssysteme) >>
monk-it - Efficient distributed monitoring, attack detection, and event correlation

The number, rate, and quality of attacks is steadily increasing with the enormous growth of the Internet, its concurrent users and services. The best-known examples are viruses and worms, which are reaching alarming scales. The Federal Office for Information Security (BSI) identified these threats and initiated the development of a national early warning system for Germany. This system should be able to detect and analyze attacks and to initiate adequate response measures. In general, such an early warning system has high demands on its timeliness and flexibility while it must be able to handle increasing amounts of data.
The monk-it project aims to develop, to implement, and to integrate two main building blocks for the described early warning system: an efficient network monitoring system working in a distributed environment for subsequent attack detection and event correlation techniques at higher layers. Passive network monitoring is a challenging task in current multi-gigabit networks. In the scope of this project, novel algorithms are investigated for the load-dependent re-configuration of distributed monitoring stations. Additionally, selected attack detection mechanisms, so named pre-processors, are moved directly into the monitoring task in order to reduce the amount of monitoring data to be analyzed at a central detection system. The final goal is to develop an "intelligent" self-organizing monitoring environment, which supports and simplifies further attack analysis.
Independently of the detection of singular attacks, the visibility of such attacks can be limited in the overall network. Event correlation techniques aim at producing more informative conclusions based on non-correlated single measures. This basically helps to detect distributed attacks and to enforce adequate countermeasures.
Altogether, both modules represent powerful parts of the envisioned early warning system. In order to simplify the use and the integration, standardized formats and protocols will be consequently used. Thus the project also encourages active participation in the IETF standardization processes.
PD Dr.-Ing. habil. Falko Dressler, Prof. Dr.-Ing. Reinhard German, Dr. rer. nat. Peter Holleczek

Dipl.-Inf. Tobias Limmer, Dipl.-Inf. Jochen Kaiser

Laufzeit: 1.1.2007 - 30.9.2010

BSI (Bundesamt für Sicherheit in der Informationstechnik)

Limmer, Tobias ; Dressler, Falko: Flow-based TCP Connection Analysis. In: n.b. (Hrsg.) : Proc. of 28th IEEE Intern. Performance Computing and Communications Conference, 2nd IEEE Intern. Workshop on Information and Data Assurance ((IPCCC 2009), (WIDA'09) Phoenix, AZ, USA December 2009). 2009, S. -.
Limmer, Tobias ; Dressler, Falko: Flow-based Front Payload Aggregation. In: n.b. (Hrsg.) : Proc. of 34th IEEE Conf. on Local Computer Networks : 4th IEEE LCN Workshop on Network Measurements ((LCN 2009, WNM 2009) Zurich, Switzerland October 2009). 2009, S. 1102-1109.
Eckhoff, David ; Limmer, Tobias ; Dressler, Falko: Hash Tables for Efficient Flow Monitoring: Vulnerabilities and Countermeasures. In: 34th IEEE Conference on Local Computer Networks (LCN 2009): 4th IEEE LCN Workshop on Network Measurements (WNM 2009). Zurich, Switzerland : 2009, S. 1087-1094.
Limmer, Tobias ; Dressler, Falko: Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems. Erlangen-Nürnberg : Friedrich-Alexander-Universität. 2008 (1). - Interner Bericht
Limmer, Tobias ; Dressler, Falko: Distributed monitoring and analysis for reactive security. In: n.b. (Hrsg.) : Proceedings of SPRING - GI/SIDAR Graduierten-Workshop über Reaktive Sicherheit ((GI/SIDAR) Dortmund, Germany July 2007). 2007, S. -.
Dressler, Falko ; Jaegers, Wolfgang ; German, Reinhard: Flow-based Worm Detection using Correlated Honeypot Logs. In: n.b. (Hrsg.) : Proc. of 15. GI/ITG Fachtagung Kommunikation in Verteilten Systemen ((KiVS 2007) Bern, Switzerland February, 2007). 2007, S. 181-186.
Dressler, Falko ; German, Reinhard ; Holleczek, Peter: Selbstorganisierende Netzwerksensoren und automatisierte Ereigniskorrelation. In: BSI (Hrsg.) : Proc. of BSI-Workshop IT-Frühwarnsysteme (BSI-Workshop IT-Frühwarnsysteme Bonn, Germany July, 2006). 2006, S. 117-128.
Kaiser, Jochen ; Vitzthum, Alexander ; Holleczek, Peter ; Dressler, Falko: Automated resolving of security incidents as a key mechanism to fight massive infections of malicious software. In: n.b. (Hrsg.) : Proc. of GI SIDAR International Conference on IT-Incident Management & IT-Forensics ((IMF 2006) Stuttgart, Germany October 2006). Bd. LNI P-97. Berlin : Springer Verlag, 2006, S. 92-103.
Kaiser, Jochen ; Vitzthum, Alexander ; Holleczek, Peter ; Dressler, Falko: Ein Sicherheitsportal zur Selbstverwaltung und automatischen Bearbeitung von Sicherheitsvorfällen als Schlüsseltechnologie gegen Masseninfektionen. In: n.b. (Hrsg.) : Proc. of SPRING - GI/SIDAR (Graduierten-Workshop über Reaktive Sicherheit Berlin, Germany July 2006). 2006, S. -.
Lampert, Ronny T. ; Sommer, Christoph ; Münz, Gerhard ; Dressler, Falko: Vermont - A Versatile Monitoring Toolkit Using IPFIX/PSAMP. In: n.b. (Hrsg.) : Proc. of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation ((MonAM 2006) Tübingen, Germany September 2006). 2006, S. 62-65.
UnivIS ist ein Produkt der Config eG, Buckenhof