Günter Schäfer

Intrusion Detection in Mobile Communication Networks

Joachim Biskup,
Michael Meier

Specification and Enforcement of Availability and Confidentiality Policies as Enabler of Cooperative Security Surveillance

It is widely agreed that in order to be able to effectively respond to emerging threats in networked environments like the Internet the cooperative sharing and correlation of monitoring data is required. Such a cooperative network monitoring scenario involves different parties. In fact, interests of all network participants and all partners in monitoring have to be considered, which includes several competing network and information technology providers, competing companies, governmental institutions, and private customers/users. The interests of these parties regarding their participation in the network are diverse and partially conflicting. This is particularly the case concerning network monitoring and sharing of security information. To enable an effective cooperative exchange and analysis of monitoring data, fair and balanced consideration has to be given to all declared interests. Parties participating in a cooperative network monitoring scenario act in different roles like sensor, analyzer and prosecutor. Each role has particular requirements on the data. For example, while a sensor should just reliably forward raw data about observed events, an analyzer requires the monitoring data to be analyzable (in particular linkable as requested by the analysis tool), and a prosecutor requires to infer the identity of attackers from attack data (in particular to technically reverse anonymizations). We propose to specify role-specific availability and confidentiality requirements by a dedicated surveillance policy that reflects and integrates the occurring interests of the parties involved. Moreover, we aim at deriving appropriate enforcement means from the policy, to semi-automatically configure a cooperative monitoring scenario. Suitably composed, the means should lead to customized information reductions that protect confidential information in monitoring data but keep the data analyzable regarding security violations, and also allow confidential information to be disclosed in case it is related to a detected attack.

up

Georg Carle

On network attack detection and response

The talk gives a possible view on attack detection classification, and presents work in our group on network attack detection and response. A system architecture for distributed network attack detection and response is introduced. The following aspects are coverd in more detail: tailoring of network monitoring and attack detection to specific use-cases, and the policy-based handling of attack incidents. Additionally, specific anomaly and attack detection approaches are coverd: network anomaly detection using k-means clustering and signature detection in sampled packets.

up

Marc Dacier

From intrusion detection to attack attribution vs. from error detection to fault diagnosis

This talk aims at positioning the recently introduced notion of "attack attribution" in the context of the ongoing research on intrusion detection. These concepts will be precisely defined and compared to the classical terms of "error detection" and "fault diagnosis" that have been used by the dependability community for decades. References to the work carried out in two European projects related to these ideas, namely the Resist NoE and the WOMBAT STREP, will also be provided.

up

Peter Herrmann

Making Distributed Services Security-Aware – Desires of a Software Engineer

The recent developments in the field of wireless communication make new kinds of meaningful networked services possible. For acceptance, however, the resulting applications have to be trustworthy and secure which can be guaranteed by suitable security mechanisms from, amongst others, network security and intrusion detection. Practice proved that it is much easier to integrate the security blocks already into the basic design of a service than to add them to the final implementation. Of course, this makes the overall design process more complex. As modern system design techniques are often based on formal models, however, the design process can be significantly eased by modeling also the security mechanisms and synthesizing both model descriptions. This definitely requires approaches in which the security-oriented and the functional modeling strategies fit. In my talk, I will – referring to our current work – introduce recent functional modeling techniques, outline opportunities to add security mechanisms to them, and discuss interesting research and development issues in the field of network security and intrusion detection which may help to streamline the synthesis of functional and security models.

up

Thorsten Holz

The Future of Honeypots

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. These tools are electronic decoys that pretend to be normal system, but are really waiting to be attacked and compromised for the purpose of tracking attackers and learning more about their proceedings. Honeynets are networks of honeypots and have proven to be an effective tool in learning more about Internet crime like credit card fraud, botnets, and other areas of network-based attacks. As attacks in communication networks evolve, also the design of honeypots and honeynets needs to evolve. In this talk, we present some ideas of possible future developments for honeypots and we highlight future challenges in this area.

up

Marko Jahnke

Practical Challenges for Intrusion Detection and Response in tactical MANETs

This talk presents an overview of the challenges for deploying and developing solutions for intrusion detection and response in so-called tactical MANETs, i.e. mobile ad hoc networks used to support intervention forces (e.g. infantry troops, desaster area rescue personnel).

After characterizing the relevant properties of these environments, different challenges are discussed. These challenges contribute to the fact that it is not always possible to utilize well-established approaches without modifications (e.g. due to radio wave propagation, ad hoc and multi-hop characteristics, hardly reproducible real-world evaluations and experiments). Finally, a number of approaches from practically oriented research projects is presented that aim at coping with some of the above challenges.

up

Pavel Laskov

Similarity-based anomaly detection for network security

Anomaly detection is becoming increasingly important for network security, especially when a trust relationship cannot be established between communication parties. The main challenge in application of anomaly detection methods for analysis of network traffic lies in characterization of a normal behavior of a system. The geometric approach to be presented in this talk addresses this problem by defining anomaly score functions expressed in terms of certain topological properties of data, e.g a cluster structure and local neighborhood relations. A prerequisite for an application of the proposed approach is an ability to measure pairwise similarity between monitored events. It can be shown that the proposed approach is a generalization of several recent anomaly-based network IDS (e.g. PAYL and ANAGRAM). It can be also extended to be used on top of protocol analysers, e.g. the BINPAC family used in the signature-based IDS Bro. Furthermore, a clear geometric intuition of the similarity-based approach allows one to develop theoretical guarantees for robustness of certain anomaly detection algorithms against evasion attacks.

up

Tobias Limmer

Requirements and State of the Art for Seamless Reconfiguration of Flow Meters

Analyzing network traffic based on flow information has become a major domain in the network measurement and security communities. Depending on the specific application scenario, the requirements vary strongly in terms of capacity and throughput demands. In order to cope with the increasing bandwidth in today's backbone networks, several approaches have been published that employ hierarchical interconnections of flow meters. The IETF defined a dedicated IP Flow Information eXport (IPFIX) protocol that also supports flow aggregation in such hierarchical setups. Obviously, all the systems in such an environment rely on a specific configuration depending on the scope and current state of each flow meter. In case of changing traffic pattern or varying demands of the flow analyzers, this configuration needs to be updated, i.e. to introduce different sampling algorithms or filters. Also, the aggregation rules might be changed and entirely new monitoring options need to be activated. The most essential goal of such reconfiguration is to loose as little information, i.e. packet or flow data, as possible. We tested several software-based and hardware-based tools for flow metering for their reconfiguration abilities: Depending on the number of incoming packets, we determined how much flow data is lost when a reconfiguration of the system is performed. This includes our own monitoring tool Vermont. Based on these estimations, we developed a seamless reconfiguration procedure for Vermont that is able to update the system configuration with reduced impact and almost no loss of data.

up

Günter Schäfer

Intrusion Detection in Mobile Communication Networks

Abstract will be added soon

up

Sebastian Schmerl,

Hartmut König

Speed up the modeling process of Snort signatures by reuse

Most intrusion detection systems deployed today apply misuse detection s detection procedure. Misuse detection compares the recorded audit data with predefined patterns, i.e. signatures. A signature is usually mpirically developed based on experience and expert knowledge. Methods or a systematic development are scarcely reported yet. This induces elatively long development times for signatures causing inappropriate ulnerability windows. We introduce an approach for reusing design and odeling decisions from existing signatures in the modeling process of a new signature. We show further the realization of this approach using he example of the NIDS Snort and presenting first promising results.

up

Robin Sommer

Application-oriented Network Security

A quickly growing number of new-style network services are based on technologies such as AJAX, P2P communication, or the web service model, which do not fit the traditional abstractions provided by firewalls or network intrusion detection systems. Yet, in many network environments the need for stricter control of application traffic will inevitably increase as current technologies fail to yield the benefits they did in the past.

In this talk we argue that with HTTP effectively becoming the new transport-layer protocol, we should focus on examining application-layer semantics in depth. Rather than allowing ad-hoc solutions to impair the user experience, we believe that there is an opportunity to pursue new approaches for monitoring and enforcing security policies which also address user concerns in terms of opaqueness and privacy.

up

In this talk we will describe briefly a state of the art in current VoIP attacks as well as how these can be discovered. This class of attacks may lead to complete takedown of a VoIP network, remote eavesdropping, and even the penetration of an internal network. We well describe advanced fuzzing techniques used to search for vulnerabilities. While fuzzing is currently in its first generation, we have worked on the second generation, where state and smart searching techniques efficiently drive the fuzzing process. We have implemented a state of the art fuzzer KIF that performs generic syntax fuzzing and is the the only stateful SIP fuzzer existing as of today.

up

Stephen D. Wolthusen

Concurrent Probabilistic Attack Detection and Self-Defense

klick here for the extended abstract

up

Tanja Zseby

Expect the Unexpected! The importance of passive measurements for Network Security

In this talk I will point out measurement challenges for attack detection. I will introduce measurement requirements and limitations for anomaly detection and present recent results from ongoing security projects at Fraunhofer FOKUS. A particular focus will be set to the use of packet and flow sampling techniques and the opportunities we get from future standards like IPFIX and PSAMP.

up