TU Berlin

Main document

Literature Database Entry


Tobias Limmer, "Efficient Network Monitoring for Attack Detection," PhD Thesis, Department of Computer Science, Friedrich–Alexander University of Erlangen–Nuremberg (FAU), June 2011. (Advisor: Falko Dressler; Referees: Falko Dressler and Felix C. Freiling)


Techniques for network-based intrusion detection have been evolving for years, and the focus of most research is on detection algorithms, although networks are distributed and dynamically managed nowadays. A data processing framework is required that allows to embed multiple detection techniques and to provide data with the needed aggregation levels. Within that framework, this work concentrates on methods that improve the interoperability of intrusion detection techniques and focuses on data pre-processing stages that perform data evaluation and intelligent data filtering. After presenting a survey of the chain of processes needed for network-based intrusion detection, I discuss the evaluation of TCP connection states based on aggregated flow data. I develop classifiers that interpret flow data in regard of failed and successful connections. These classifiers are especially relevant for anomaly-based intrusion detection techniques like port scan or malware detection, and enable many of these techniques to operate on flow-level data instead of packet-level data. The second part focuses on the filtering of payload data for Intrusion Detection Systems (IDSs) that use signatures for detection. I perform a detailed analysis of the IDS Snort that locates specific patterns within connections. This analysis led to the first approach, Front Payload Aggregation (FPA), which captures data that is transferred at the beginning of connections. Unfortunately, interleaved communication patterns cannot be captured well using this aggregation technique. Therefore, I propose Dialog-based Payload Aggregation (DPA) in the next part, which divides bidirectional communication into dialog segments. For each direction change in the communication, a certain amount of transferred data is kept, and the rest is dropped. This way, bulk data is dropped using a very lightweight method that only relies on network and transport header information. The filter achieved very good results in combination with the IDS Snort, as 89% of the original events could be retained, whereas only 4% of the original amount of data was analyzed by the IDS.

Quick access

BibTeX BibTeX


Tobias Limmer

BibTeX reference

    author = {Limmer, Tobias},
    title = {{Efficient Network Monitoring for Attack Detection}},
    advisor = {Dressler, Falko},
    institution = {Department of Computer Science},
    location = {Erlangen, Germany},
    month = {6},
    referee = {Dressler, Falko and Freiling, Felix C.},
    school = {Friedrich--Alexander University of Erlangen--Nuremberg (FAU)},
    type = {PhD Thesis},
    year = {2011},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at www.springerlink.com.

This page was automatically generated using BibDB and bib2web.


Featured Paper