Christian Bockermann

Measuring similarity of malware behavior

Malicious software (malware) represents a major threat for computer systems of almost all types. In the past few years the number of prevalent malware samples has increased dramatically due to the fact that malware authors started to deploy morphing (aka obfuscation) techniques in order to hinder detection of such polymorphic malware by anti-malware products. Using these techniques numerous variants of a malware can be generated. All these variants have a different syntactic representation while providing almost the same functionality and showing similar behavior. In order to effectively detect polymorphic malware it is advantageous (if not required) to know which malware samples are variants of a particular malware. Respective approaches for determining this relation between malware samples automatically are currently investigated by a number of researchers. A prerequisite for assessing this relation based on particular features of malware samples is an appropriate similarity or distance measure. In particular a number of approaches for clustering malware samples have been recently published. Thereby different similarity measures are used but without thoroughly discussing their choice. So it is an unanswered question which similarity measures are appropriate for determining respective relations between malware samples. To answer this question we study different distance measures in detail and discuss desirable properties of a distance measure for this particular purpose. We focus on behavioral features of malware and compare and experimentally evaluate different distance measures for malware behavior. Based on our results we identify a most appropriate distance measure for grouping malware samples based on similar behavior.

Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract)

Modern multi-tier application systems are generally based on high performance database systems in order to process and store business information. Containing valuable business information, these systems are highly interesting to attackers and special care needs to be taken to prevent any malicious access to this database layer. In this work we propose a novel approach for modelling SQL statements to apply machine learning techniques, such as clustering or outlier detection, in order to detect malicious behaviour at the database transaction level. The approach incorporates the parse tree structure of SQL queries as characteristic e.g. for correlating SQL queries with applications and distinguishing benign and malicious queries. We demonstrate the usefulness of our approach on real-world data.

Learning SQL for Database Intrusion Detection using Context-sensitive Modelling

Modern multi-tier application systems are generally based on high performance database systems in order to process and store business information. Containing valuable business information, these systems are highly interesting to attackers and special care needs to be taken to prevent any malicious access to this database layer. In this work we propose a novel approach for modelling SQL statements to apply machine learning techniques, such as clustering or outlier detection, in order to detect malicious behaviour at the database transaction level. The approach incorporates the parse tree structure of SQL queries as characteristic e.g. for correlating SQL queries with applications and distinguishing benign and malicious queries. We demonstrate the usefulness of our approach on real-world data.

Dynamic route planning with real-time traffic predictions

Situation aware route planning gathers increasing interest as cities become crowded and jammed. We present a system for individual trip planning that incorporates future traffic hazards in routing. Future traffic conditions are computed by a Spatio-Temporal Random Field based on a stream of sensor readings. In addition, our approach estimates traffic flow in areas with low sensor coverage using a Gaussian Process Regression. The conditioning of spatial regression on intermediate predictions of a discrete probabilistic graphical model allows us to incorporate historical data, streamed online data and a rich dependency structure at the same time. We demonstrate the system with a real-world use-case from Dublin city, Ireland. HighlightsDynamic traffic cost prediction.Situation dependent trip planner.Prediction-as-a-service with TUD streams framework.

Heterogeneous Stream Processing and Crowdsourcing for Traffic Monitoring: Highlights

We give an overview of an intelligent urban traffic management system. Complex events related to congestions are detected from heterogeneous sources involving fixed sensors mounted on intersections and mobile sensors mounted on public transport vehicles. To deal with data veracity, sensor disagreements are resolved by crowdsourcing. To deal with data sparsity, a traffic model offers information in areas with low sensor coverage. We apply the system to a real-world use-case.

Online analysis of high-volume data streams in astroparticle physics

Experiments in high-energy astroparticle physics produce large amounts of data as continuous high-volume streams. Gaining insights from the observed data poses a number of challenges to data analysis at various steps in the analysis chain of the experiments. Machine learning methods have already cleaved their way selectively at some particular stages of the overall data mangling process. In this paper we investigate the deployment of machine learning methods at various stages of the data analysis chain in a gamma-ray astronomy experiment. Aiming at online and real-time performance, we build up on prominent software libraries and discuss the complete cycle of data processing from raw-data capturing to high-level classification using a data-flow based rapid-prototyping environment. In the context of a gamma-ray experiment, we review user requirements in this interdisciplinary setting and demonstrate the applicability of our approach in a real-world setting to provide results from high-volume data streams in real-time performance.

On the Automated Creation of Understandable Positive Security Models for Web Applications

Web applications pose new security-related challenges since attacks on web applications strongly differ from those on client-server applications. Traditional network-based firewall systems offer no protection against this kind of attacks since they occur on the application-level. The current solution is the manual definition of large sets of filtering rules which should prevent malicious attempts from being successful. We propose a new framework which should avoid this tedious work. The basic idea is the definition of a description language for positive security models taking the particularities of web applications into account. We then present adaptive techniques which employ this description language in order to describe the valid communication to a given web application. The simplicity of the description language allows the easy identification of unintentionally incorporated vulnerabilities. Experiments for several real- world web applications demonstrate the usefulness of the proposed approach.

Mining big data streams for multiple concepts

ions Applications Chapter

FACT - Calibration of Imaging Atmospheric Cerenkov Telescopes with Muon Rings

M. Nothe∗, a M. L. Ahnen b, M. Balbo c, M. Bergmann d , C. Bockermann e, A. Biland b, T. Bretz b, K. A. Brugge a, J. Buss a, D. Dorner d , S. Einecke a, J. Freiwald a, C. Hempfling d , D. Hildebrand b, G. Hughes b, W. Lustermann b, K. Mannheim d , K. Meier d , K. Morik e, S. Muller b, D. Neise b, A. Neronov c, A.-K. Overkemping a, A. Paravac d , F. Pauss b, W. Rhode a, F. Temme a, J. Thaele a, S. Toscano c, P. Vogler b, R. Walter c, and A. Wilbert d Email: maximilian.noethe@tu-dortmund.de

FACT-Tools: Streamed Real-Time Data Analysis

K. A. Brügge b∗, M. L. Ahnena, M. Balboc, M. Bergmannd , A. Bilanda, C. Bockermanne, T. Bretza, J. Bussb, D. Dornerd , S. Eineckeb, J. Freiwaldb, C. Hempflingd , D. Hildebranda, G. Hughesa, W. Lustermanna, K. Mannheimd , K. Meierd , K. Morike, S. Müllera, D. Neisea, A. Neronovc, M. Nötheb, A.-K. Overkempingb, A. Paravacd , F. Paussa, W. Rhodeb, F. Temmeb, J. Thaeleb, S. Toscanoc, P. Voglera, R. Walterc, and A. Wilbertd Email: kai.bruegge@tu-dortmund.de