Christopher Krügel

Service specific anomaly detection for network intrusion detection

The constant increase of attacks against networks and their resources (as recently shown by the CodeRed worm) causes a necessity to protect these valuable assets. Firewalls are now a common installation to repel intrusion attempts in the first place. Intrusion detection systems (IDS), which try to detect malicious activities instead of preventing them, offer additional protection when the first defense perimeter has been penetrated. ID systems attempt to pin down attacks by comparing collected data to predefined signatures known to be malicious (signature based) or to a model of legal behavior (anomaly based).Anomaly based systems have the advantage of being able to detect previously unknown attacks but they suffer from the difficulty to build a solid model of acceptable behavior and the high number of alarms caused by unusual but authorized activities. We present an approach that utilizes application specific knowledge of the network services that should be protected. This information helps to extend current, simple network traffic models to form an application model that allows to detect malicious content hidden in single network packets. We describe the features of our proposed model and present experimental data that underlines the efficiency of our systems.

Decentralized Event Correlation for Intrusion Detection

Evidence of attacks against a network and its resources is often scattered over several hosts. Intrusion detection systems (IDS) which attempt to detect such attacks therefore have to collect and correlate information from different sources. We propose a completely decentralized approach to solve the task of event correlation and information fusing of data gathered from multiple points within the network.Our system models an intrusion as a pattern of events that can occur at different hosts and consists of collaborating sensors deployed at various locations throughout the protected network installation.We present a specification language to define intrusions as distributed patterns and a mechanism to specify their simple building blocks. The peer-to-peer algorithm to detect these patterns and its prototype implementation, called Quicksand, are described. Problems and their solutions involved in the management of such a system are discussed.

XGuide - A Practical Guide to XML-Based Web Engineering

Various approaches have been proposed in the field of Web engineering that attempt to exploit the advantages of XML/XSL technologies. Although a strict separation of presentation and content achieved through XML/XSL has many advantages, a considerable effort is involved in using these technologies to develop Web sites. The lack of experience in XML/XSL can be a major cause for the extra effort. In several XML/XSL-based Web projects, we felt the need for a methodology that systematically guides the developer in the field through the development process, while taking into account the limitations and strengths of XML. In this paper, we present XGuide, a practical guide for XML-based Web Engineering that focuses on parallel development. XGuide is a methodology for XML/XSL-based Web development that is tool-independent and hence, can be used with a broad range of development tools. We are currently using the XGuide approach in several Web projects.

Jini — ein guter Geist für die Gebäudesystemtechnik

Die Anforderungen an die Elektroinstallation in Gebauden und Wohnhausern ist in den letzten Jahren dramatisch gestiegen. Da konventionelle Elektroinstallationen diesen Anspruchen nicht mehr ausreichend gerecht werden konnen, wird der Ruf nach modernen, busfahigen Varianten immer vehementer. Eine dieser Varianten ist der Europaische Installationsbus (EIB). Welche vielfaltigen neuen Moglichkeiten der Gebaudesystemtechnik und -automation offen stehen, wenn dieses Feldbussystem Jini-fahig gemacht wird (frei nach dem Motto: The Network is the Device!) und wie eine solche Integration funktionieren kann, soll dieser Artikel zeigen.