Logo des Repositoriums

Auflistung nach Schlagwort "Intrusion Detection"

1 - 5 von 5
  • Textdokument
    Anomaly Detection in Log Data using Graph Databases and Machine Learning to Defend Advanced Persistent Threats
    (INFORMATIK 2017, 2017) Schindler, Timo
    Advanced Persistent Threats (APTs) are a main impendence in cyber security of computer networks. In 2015, a successful breach remains undetected 146 days on average, reported by [Fi16].With our work we demonstrate a feasible and fast way to analyse real world log data to detect breaches or breach attempts. By adapting well-known kill chain mechanisms and a combine of a time series database and an abstracted graph approach, it is possible to create flexible attack profiles. Using this approach, it can be demonstrated that the graph analysis successfully detects simulated attacks by analysing the log data of a simulated computer network. Considering another source for log data, the framework is capable to deliver sufficient performance for analysing real-world data in short time. By using the computing power of the graph database it is possible to identify the attacker and furthermore it is feasible to detect other affected system components. We believe to significantly reduce the detection time of breaches with this approach and react fast to new attack vectors.
  • Textdokument
    Effects of the Sampling Technique on Sender Identification Systems for the Controller Area Network
    (INFORMATIK 2020, 2021) Kneib, Marcel; Schell, Oleg
    As a result of the ongoing development of vehicle electronics and additional wireless communication interfaces, the possibilities for attacks and their negative consequences are increasing. Once an attacker has obtained access to the internal vehicle communication, in the case of the Controller Area Network (CAN) the attacker is able to forge all messages of the connected Electronic Control Units (ECUs) without a receiving ECU being able to recognize any suspicious behavior. The use of cryptographic methods is only possible to a limited extent due to restricted resources of the ECUs, which is why sender identification systems have been presented which are able to detect these kind of attacks. Presented approaches use different procedures to capture the analog signals on which the detection of attacks respectively the identification of the sender is based. This work shows that the impact on the performance of the sender identification system by the different sampling methods is minimal and therefore the selection of the appropriate technique can be mainly based on the available resources and the communication structure of the corresponding vehicle platform. This is shown on the one hand by the direct analysis of the analog signals captured from a real vehicle as well as by an evaluation of the previously introduced sampling methods using a recently published sender identification system. In addition, an assessment of the procedures based on different parameters shows which method is to be preferred for which application.
  • Konferenzbeitrag
    On the Perception of Risk Assessment in Intrusion Detection Systems
    (10. DFN-Forum Kommunikationstechnologien, 2017) Golling, Mario; Koch, Robert; Dreo Rodosek, Gabi
    Especially in the area of Intrusion Detection, the concept as well as the understanding of the term "risk" is of fundamental irnportance. Generally, risk assessment represents an important means of evaluating certain situations, plans, events or systems in a systematic and comprehensive procedure. As in other areas, within the field of IT security, the systematic assessment process (risk analysis) also aims at recomrnending how to allocate available resources. Referring to this, both, the categorization oftraffic (whether traffic has to be classified as an attack or not - "benign vs. malicious") as we11 as a corresponding estimation of the expected damage (severity) are of central importance. Therefore, within this publication, the authors address the following questions in detail: (1) To what extent are the detection results of different IDSs comparable - with regard to the assessment of the risk / extent of damage - or are there strong deviations? (2) How do both vendor-dependent and vendor-independent alerts address the topic of risk assessment and enable the implementation of a comprehensive risk concept? To this end, at the heart of this paper, an overview as weil as an evaluation of important representatives of open source IDSs is presented, focusing on methods for risk assessment resp. risk rating including cross-vendor risk rating and the Common Vulnerability Scoring System (CVSS). Furthermore, the paper also contains a brief demise of the most important representatives of comrnercial IDSs.
  • Konferenzbeitrag
    Systematische Ableitung von Signaturen durch Wiederverwendung am Beispiel von Snort
    (SICHERHEIT 2008 – Sicherheit, Schutz und Zuverlässigkeit. Beiträge der 4. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 2008) Schmerl, Sebastian; Rietz, René; König, Hartmut
    Die Wirksamkeit von Intrusion Detection Systemen mit Signaturanalyse hängt entscheidend von der Präzision der verwendeten Signaturen ab. Die Ursachen unpräziser Signaturen sind hauptsächlich der Signaturableitung zuzuschreiben. Die Spezifikation einer Signatur ist aufwendig und fehleranfällig. Methoden für ein systematisches Vorgehen existieren bisher kaum. In diesem Papier stellen wir einen Ansatz zur systematischen Ableitung von Signaturen durch Wiederverwendung von Signaturen bzw. Signaturfragmenten vor, der ursprünglich für Multi- Step-Attacken entwickelt wurde. Wir zeigen, dass er auch für Single-Step-Attacken genutzt werden kann. Dazu verwenden wir Snort-Signaturen.
  • Zeitschriftenartikel
    Temporal-based intrusion detection for IoV
    (it - Information Technology: Vol. 62, No. 5-6, 2020) Hamad, Mohammad; Hammadeh, Zain A. H.; Saidi, Selma; Prevelakis, Vassilis
    The Internet of Vehicle (IoV) is an extension of Vehicle-to-Vehicle (V2V) communication that can improve vehicles’ fully autonomous driving capabilities. However, these communications are vulnerable to many attacks. Therefore, it is critical to provide run-time mechanisms to detect malware and stop the attackers before they manage to gain a foothold in the system. Anomaly-based detection techniques are convenient and capable of detecting off-nominal behavior by the component caused by zero-day attacks. One significant critical aspect when using anomaly-based techniques is ensuring the correct definition of the observed component’s normal behavior. In this paper, we propose using the task’s temporal specification as a baseline to define its normal behavior and identify temporal thresholds that give the system the ability to predict malicious tasks. By applying our solution on one use-case, we got temporal thresholds 20–40 % less than the one usually used to alarm the system about security violations. Using our boundaries ensures the early detection of off-nominal temporal behavior and provides the system with a sufficient amount of time to initiate recovery actions.