• Skip navigation
  • Skip to navigation
  • Skip to the bottom
Simulate organization breadcrumb open Simulate organization breadcrumb close
Computer Science 7
  • FAUTo the central FAU website
  1. Friedrich-Alexander-Universität
  2. Faculty of Engineering
  3. Department Computer Science
  • Deutsch
  • English
  • Campo
  • UnivIS
  • Jobs
  • Map
  • Help
  1. Friedrich-Alexander-Universität
  2. Faculty of Engineering
  3. Department Computer Science

Computer Science 7

Navigation Navigation close
  • CS7
  • Research
  • Publications
  • Teaching
  • Cooperation Partners
  1. Home
  2. Research
  3. Concluded Projects
  4. monk-it – Efficient distributed monitoring, attack detection, and event correlation

monk-it – Efficient distributed monitoring, attack detection, and event correlation

In page navigation: Research
  • Quality-of-Service
    • Research Projects
    • Group Members
    • Publications
  • Connected Mobility
    • Research Projects
    • Group Members
    • Publications
  • Smart Energy
    • Research Projects
    • Group Members
    • Publications
  • Concluded Projects
    • ACOOWEE – Activity Oriented Programming of Wireless Sensor Networks
    • ALF: Autonomous Localization Framework
    • Analysis Methods for Non-Markovian Models
    • A⁵: Development Method for Driver Assistance Systems based on a Domain-Specific Language
    • BioNeting – Bio-inspired Networking
    • CoCar – Cooperative Cars
    • Concurrency in timed usage models for system testing in the automotive domain
    • Data Quality and the Control of Automotive Manufacturing
    • Decentralized organization of future energy systems based on the combination of blockchains and the cellular concept
    • Dienstgütegarantien für Ethernet in der industriellen Kommunikation
    • e-NUE: Co-Simulation of Electrified and Connected Vehicles
    • Energy System Analysis
    • Formal verification and validation of test methods for complex vehicle safety systems in virtual environments
    • GeTTeMo – Systematische Generierung von Testszenarien aus benutzungsorientierten Testmodellen
    • HISTORY – HIgh Speed neTwork mOnitoRing and analYsis
    • Hybrid Simulation of Intelligent Energy Systems
    • Integrated Modeling Platforms for Computer Infrastructures
    • MaTeLo (Markov Test Logic)
    • Mo.S.I.S. (Modular Software Engineering for Interoperative Systems)
    • Model support in design, test, and monitoring of image system architectures
    • Modeling of External and Internal Impact Factors on the Performance of Wireless Local Area Networks
    • monk-it – Efficient distributed monitoring, attack detection, and event correlation
    • p2p4wsn – Efficient Data Management in Mobile Sensor Networks using Peer-to-Peer Technologies
    • Pal-Grid: A Comprehensive Simulation Framework for the Palestinian Power Grid
    • Privacy in Vehicular Networks
    • ProHTA: Prospective Assessment of Healthcare Technologies
    • Q.E.D. (QoS Enhanced Development Using UML2.0 and TTCN-3)
    • Quality of Service of Networked Embedded Systems
    • Requirements oriented testing with Markov chain usage models in the automotive domain
    • ROSES – Robot Assisted Sensor Networks
    • Secure intelligent Mobility – Testarea Germany
    • Security and Quality of Service and Aspects in ZigBee-based Wireless Communication
    • Self-organization of SN-MRS systems
    • Sensitivity Analysis of Queueing Networks
    • SkyNet – Communicating Paragliders
    • Smart Grid Services
    • Smart Grid Solar
    • Software-in-the-Loop Simulation and Testing of Highly Dependable Distributed Automotive Applications
    • Support for inter-domain routing and data replication in virtual coordinate based networks
    • SWARM (Storage With Amply Redundant Megawatt)
    • Telematics Services in Hybrid Networks
    • Transmission of Safety-Relevant Sensor Data in Intra-Car Communication Systems
    • Veins 1.0 – Vehicles in Network Simulation
    • Web Cluster Laboratory
    • WinPEPSY-QNS – Performance Evaluation and Prediction System for Queueing Networks

monk-it – Efficient distributed monitoring, attack detection, and event correlation

Project Description

The number, rate, and quality of attacks is steadily increasing with the enormous growth of the Internet, its concurrent users and services. The best-known examples are viruses and worms, which are reaching alarming scales. The Federal Office for Information Security (BSI) identified these threats and initiated the development of a national early warning system for Germany. This system should be able to detect and analyze attacks and to initiate adequate response measures. In general, such an early warning system has high demands on its timeliness and flexibility while it must be able to handle increasing amounts of data.
The monk-it project aims to develop, to implement, and to integrate two main building blocks for the described early warning system: an efficient network monitoring system working in a distributed environment for subsequent attack detection and event correlation techniques at higher layers. Passive network monitoring is a challenging task in current multi-gigabit networks. In the scope of this project, novel algorithms are investigated for the load-dependent re-configuration of distributed monitoring stations. Additionally, selected attack detection mechanisms, so named pre-processors, are moved directly into the monitoring task in order to reduce the amount of monitoring data to be analyzed at a central detection system. The final goal is to develop an “intelligent” self-organizing monitoring environment, which supports and simplifies further attack analysis.
Independently of the detection of singular attacks, the visibility of such attacks can be limited in the overall network. Event correlation techniques aim at producing more informative conclusions based on non-correlated single measures. This basically helps to detect distributed attacks and to enforce adequate countermeasures.
Altogether, both modules represent powerful parts of the envisioned early warning system. In order to simplify the use and the integration, standardized formats and protocols will be consequently used. Thus the project also encourages active participation in the IETF standardization processes.

Project Period

    2007-01-01 – 2010-09-30

Project Members

  • Prof. Dr.-Ing. Reinhard German
  • PD Dr.-Ing. habil. Falko Dressler
  • Peter Holleczek
  • Dipl.-Inf. Tobias Limmer
  • Dipl.-Inf. Jochen Kaiser

Sponsered by

  • BSI (Bundesamt für Sicherheit in der Informationstechnik)

Related Publications

  1. Tobias Limmer und Falko Dressler, “Flow-based TCP Connection Analysis,” Proc. of 28th IEEE Intern. Performance Computing and Communications Conference, 2nd IEEE Intern. Workshop on Information and Data Assurance, Phoenix, AZ, USA, Dezember 2009
  2. Tobias Limmer und Falko Dressler, “Flow-based Front Payload Aggregation,” Proc. of 34th IEEE Conf. on Local Computer Networks : 4th IEEE LCN Workshop on Network Measurements, Zurich, Switzerland, pp. 1102-1109, Oktober 2009
  3. David Eckhoff, Tobias Limmer und Falko Dressler, “Hash Tables for Efficient Flow Monitoring: Vulnerabilities and Countermeasures,” 34th IEEE Conference on Local Computer Networks (LCN 2009): 4th IEEE LCN Workshop on Network Measurements (WNM 2009), Zurich, Switzerland, pp. 1087-1094, Oktober 2009  
  4. Tobias Limmer und Falko Dressler, “Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems,” Friedrich-Alexander-Universität, technischer Report 1, 2008
  5. Tobias Limmer und Falko Dressler, “Distributed monitoring and analysis for reactive security,” Proceedings of SPRING – GI/SIDAR Graduierten-Workshop über Reaktive Sicherheit, Dortmund, Germany, Juli 2007
  6. Falko Dressler, Wolfgang Jaegers und Reinhard German, “Flow-based Worm Detection using Correlated Honeypot Logs,” Proc. of 15. GI/ITG Fachtagung Kommunikation in Verteilten Systemen, Bern, Switzerland, pp. 181-186, Februar 2007
  7. Jochen Kaiser, Alexander Vitzthum, Peter Holleczek und Falko Dressler, “Automated resolving of security incidents as a key mechanism to fight massive infections of malicious software,” Proc. of GI SIDAR International Conference on IT-Incident Management & IT-Forensics, Berlin, Stuttgart, Germany, pp. 92-103, Oktober 2006
  8. Ronny T. Lampert, Christoph Sommer, Gerhard Münz und Falko Dressler, “Vermont – A Versatile Monitoring Toolkit Using IPFIX/PSAMP,” Proc. of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation, Tübingen, Germany, pp. 62-65, September 2006
  9. Falko Dressler, Reinhard German und Peter Holleczek, “Selbstorganisierende Netzwerksensoren und automatisierte Ereigniskorrelation,” Proc. of BSI-Workshop IT-Frühwarnsysteme, Bonn, Germany, pp. 117-128, Juli 2006
  10. Jochen Kaiser, Alexander Vitzthum, Peter Holleczek und Falko Dressler, “Ein Sicherheitsportal zur Selbstverwaltung und automatischen Bearbeitung von Sicherheitsvorfällen als Schlüsseltechnologie gegen Masseninfektionen,” Proc. of SPRING – GI/SIDAR, Berlin, Germany, Juli 2006
Computer Science 7 (Computer Networks and Communication Systems)
Friedrich-Alexander-Universität Erlangen-Nürnberg

Martensstr. 3
91058 Erlangen
  • Contact
  • Imprint
  • Privacy
  • Accessibility
  • RSS-FEED Colloquium
Up