Intrusion Detection

Network based Intrusion Detection

Together with the growth of the Internet a sub-culture constituting the Internet underground economy has evolved, aiming at doing business by abusing the Internet’s open architecture and structure as well as ingenuous Internet users. The means this underground economy uses for their infamous purposes are manifold. For instance, phishing is used to steal user credentials. Spam e-mails are used to distribute phishing URLs or malware (e.g. worms, trojans, key loggers, scareware) in order to infiltrate a user’s computer. Infiltrated computers are used to further distribute phishing URLs or malware or to launch denial of service (DoS) attacks, causing severe financial damage. Often, these infiltrated computers are remotely controlled by a miscreant and are usually referred to as bots. Many bots grouped together and equally controlled by an attacker are called botnet. Botnets have evolved to become one of the biggest annoyances large network operators have
to cope with.

To cope with these threats, our group works on models to describe ’normal‘ network behaviour in order to detect botnet C&C traffic or specific attacks. Additionally, we cooperate with Internet Service Providers to establish an infrastructure for an early warning system.

Host based Intrusion Detection

The da/sec group works on real-time mechanisms to detect polymorphic malware and the use of an autonomous coprocessor (like a graphics card) to observe its host.