Final Report Abstract

The detection of attacks on large administrative network domains, e.g., an enterprise network consisting of multiple subnets, is nowadays usually accomplished centrally by analyzing the data traffic on the uplink to the Internet. This allows detecting attacks from the Internet, but has substantial disadvantages. Insider attacks cannot be detected, no matter if they are initiated deliberately or triggered by compromised (private) devices. A network-wide distributed monitoring would be a useful alternative to established procedures, but it faces a number of still unsolved problems: Data rates in the subnets are sporadically very high and often highly variable (e.g., load peaks of up to 10 Gbit/s); high data rates along with the standard configurations typically used for monitoring usually imply high false alarm rates; data traffic is increasingly encrypted and eludes traditional analysis methods; and the increased deployment of virtualization technologies, such as virtual machines and networks, establishes areas that are inaccessible for monitoring measures. In the PANDA research project, we investigated methods to use flow aggregation and DPI complementarily. Key aspects of the investigations were a significant reduction of the data volume to be analyzed at the network sensor, the examination of alarm relevance, the monitoring of data flows also in virtual environments, analyses of cryptographic traffic to infer supported applications and applied protocols, and methods for cooperative analysis within the administrative domain. To this extend, we developed novel techniques for speeding-up the processing of HTTP flows at IDS as well as to distributed and thus parallelize IDS tasks among multiple sensors. We particularly focused on the question of distributing either IDS rules or traffic flows or both. We also addressed the problem of encrypted traffic. In a first step, we investigated techniques for detecting encrypted traffic. Our solution allows to perform this step with a very high precision and also at high processing speed. Lifelong learning-based AI solutions were developed for coping with ever changing attack pattern and eventually also with encrypted attacks. In a still ongoing work, we investigate the distribution of monitoring sensors within an administrative domain.

Publications

• Encrypted Traffic Detection: Beyond the Port Number Era. 2022 IEEE 47th Conference on Local Computer Networks (LCN) (2022, 9, 26), 198-204. American Geophysical Union (AGU).
  Doroud, Hossein; Alaswad, Ahmad & Dressler, Falko
  
• On High-Speed Flow-Based Intrusion Detection Using Snort-Compatible Signatures. IEEE Transactions on Dependable and Secure Computing, 19(1), 495-506.
  Erlacher, Felix & Dressler, Falko