monk-it

Efficient Distributed Monitoring, Attack Detection, and Event Correlation

Timeframe

Institutions

• Computer Networks and Communication Systems, University of Erlangen
• Regional Computing Center, University of Erlangen

Team

• Dr. Falko Dressler (coordination)
• Prof. Dr. Reinhard German
• Dr. Peter Holleczek (RRZE)
• Tobias Limmer
• Susanne Horst (RRZE)

Funding

• BSI (Bundesamt für Sicherheit in der Informationstechnik)

Description

The number, rate, and quality of attacks is steadily increasing with the enormous growth of the Internet, its concurrent users and services. The best-known examples are viruses and worms, which are reaching alarming scales. The Federal Office for Information Security (BSI) identified these threats and initiated the development of a national early warning system for Germany. This system should be able to detect and analyze attacks and to initiate adequate response measures. In general, such an early warning system has high demands on its timeliness and flexibility while it must be able to handle increasing amounts of data.
The monk-it project aims to develop, to implement, and to integrate two main building blocks for the described early warning system: an efficient network monitoring system working in a distributed environment for subsequent attack detection and event correlation techniques at higher layers.
Passive network monitoring is a challenging task in current multi-gigabit networks. In the scope of this project, novel algorithms are investigated for the load-dependent re-configuration of distributed monitoring stations. Additionally, selected attack detection mechanisms, so named pre-processors, are moved directly into the monitoring task in order to reduce the amount of monitoring data to be analyzed at a central detection system. The final goal is to develop an "intelligent" self-organizing monitoring environment, which supports and simplifies further attack analysis.
Independently of the detection of singular attacks, the visibility of such attacks can be limited in the overall network. Event correlation techniques aim at producing more informative conclusions based on non-correlated single measures. This basically helps to detect distributed attacks and to enforce adequate countermeasures.
Altogether, both modules represent powerful parts of the envisioned early warning system. In order to simplify the use and the integration, standardized formats and protocols will be consequently used. Thus the project also encourages active participation in the IETF standardization processes.

IPFIX/PSAMP Monitoring and Event Correlation Tools

• Vermont - IPFIX/PSAMP conform network monitoring system
• Prism++ - Event corrlation engine and web-based GUI

Selected Publications

• Tobias Limmer and Falko Dressler, "Dialog-based Payload Aggregation for Intrusion Detection," Proceedings of 17th ACM Conference on Computer and Communications Security (CCS 2010), Poster Session, Chicago, IL, October 2010, pp. 708–710.
• Tobias Limmer and Falko Dressler, "Flow-based TCP Connection Analysis," Proceedings of 28th IEEE International Performance Computing and Communications Conference (IPCCC 2009), 2nd IEEE International Workshop on Information and Data Assurance (WIDA 2009), Phoenix, AZ, December 2009, pp. 376–383.
• David Eckhoff, Tobias Limmer and Falko Dressler, "Hash Tables for Efficient Flow Monitoring: Vulnerabilities and Countermeasures," Proceedings of 34th IEEE Conference on Local Computer Networks (LCN 2009), 4th IEEE LCN Workshop on Network Measurements (WNM 2009), Zürich, Switzerland, October 2009, pp. 1087–1094.
• Tobias Limmer and Falko Dressler, "Flow-based Front Payload Aggregation," Proceedings of 34th IEEE Conference on Local Computer Networks (LCN 2009), 4th IEEE LCN Workshop on Network Measurements (WNM 2009), Zürich, Switzerland, October 2009, pp. 1102–1109.
• Tobias Limmer and Falko Dressler, "Seamless Dynamic Reconfiguration of Flow Meters: Requirements and Solutions," Proceedings of 16. GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2009), Kassel, Germany, March 2009, pp. 179–190.
• Tobias Limmer and Falko Dressler, "Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems," Department of Computer Science 7, Technical Report, 01/08, April 2008.
• Falko Dressler, Wolfgang Jaegers and Reinhard German, "Flow-based Worm Detection using Correlated Honeypot Logs," Proceedings of 15. GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), Bern, Switzerland, February 2007, pp. 181–186.
• Jochen Kaiser, Alexander Vitzthum, Peter Holleczek and Falko Dressler, "Automated resolving of security incidents as a key mechanism to fight massive infections of malicious software," Proceedings of GI SIDAR International Conference on IT-Incident Management and IT-Forensics (IMF 2006), vol. LNI P-97, Stuttgart, Germany, October 2006, pp. 92–103.
• Ronny T. Lampert, Christoph Sommer, Gerhard Münz and Falko Dressler, "Vermont - A Versatile Monitoring Toolkit for IPFIX and PSAMP," Proceedings of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany, September 2006, pp. 62–65. [BibTeX, PDF and Details...]
• Falko Dressler, Reinhard German and Peter Holleczek, "Selbstorganisierende Netzwerksensoren und automatisierte Ereigniskorrelation," Proceedings of BSI-Workshop IT-Frühwarnsysteme, Bonn, Germany, July 2006, pp. 117–128.