Motivation
With increased networking of IT systems, the threat to them rises. As the BSI status report on IT security shows, the number of attacks on IT systems that are connected to the Internet continues to rise. Targets of such attacks include limiting the availability of services or theft of information. In many cases this results in severe damage to the public image and financial losses in the billions. Effective protection against such attacks and threats is in the interest of the system operator. Cyber war and cloud computing are current issues one can also expect to see new innovations in the area of the attacks.
Classical approaches to the protection are based on the principle of Misuse Detection. Here, the threats and attacks are described and these patterns in the network traffic are explicitly looked for. An example of a misuse detection system to track such an approach is Snort. The drawback of misuse detection is that concrete threats must be known, because only in this approach, a detailed description of an attack can be created. Previously unknown attacks can not be identified with this approach. This gap is filled by the anomaly detection. Not the bad behavior is described, but the good ones. Based on these descriptions one searches for differences in order to report this as an event.
A challenge that the approach of anomaly detection involves is the fact that deviations from the norm occur not only during attacks, and also other forms of abnormal behavior can be found. Those can e.g. be a simple download not occurring at other times or even the use of a service that has not been previously used. A particular problem is the characterization of normal behavior. It's hard to describe what is normal and what is not normal. This leads generally to many reported events of detected deviations and thus to an increased workload for the administrator. Here innovative techniques to reduce event messages are necessary. In addition, an appropriate description of the normal behavior can be found. This should allow a precise overview and provide a good characterization of the normal state of an IT system.
In addition, a further challenge needs to be solved. Techniques of Misuse Detection and Anomaly Detection of typically use Deep Packet Inspection, i.e. a complete analysis of the contents of the exchanged packets to the application layer. To monitor the growing network traffic. Documented bandwidth 7 (e.g. DE-CIX had in May 2012 an average throughput of 1,123 Gbit / s) was earlier in the Mbit / s range, now being in the Gbit / s range. The use of deep packet inspection in such bandwidth becomes a performance problem. The detection systems that perform the analyzes always have to be powerful, and what can be achieved at a reasonable cost is difficult. So here it is necessary to find innovative techniques, which also allow monitoring of lines with much higher bandwidths, and at an acceptable cost. Previous approaches which attempt to solve this problem, rely on a strong aggregation of the data. This, however, limits the information content of the data and only allows certain types of analysis.
A third challenge arises in the analysis of network traffic. Interfering with the rights of users by analyzing flow data is manageable. However, even if deep-packet inspection is used, strict privacy requirements have to be met. Even the german law of secrecy in telecommunications is touched. A detailed analysis of packets ultimately means access to particularly sensitive personal information from the content of the communication. This can be regulated in corporate networks through agreements with employees. The study of transit traffic is no longer possible without difficulty. It is therefore necessary to develop innovative technologies that enable privacy protection compliant analysis of the resulting traffic.
These problems the iAID project is devoted to.