The detection of attacks on large administrative network domains, e.g., an enterprise network consisting of multiple subnets, is nowadays usually accomplished centrally by analyzing the data traffic on the uplink to the Internet. This allows detecting attacks from the Internet, but has substantial disadvantages. Insider attacks cannot be detected, no matter if they are initiated deliberately or triggered by compromised (private) devices. A network-wide distributed monitoring would be a useful alternative to established procedures, but it faces a number of still unsolved problems:
When performing security monitoring usually flow aggregation and deep packet inspection (DPI) are carried out separately. Flow analysis so far considers only accounting information up to the transport layer. New technologies, such as virtual networks, dilute transport layer information resulting from flow aggregation because same IP addresses now represent different systems. In addition, new protocols, such as HTTP/2, further complicate the analysis process because additional context is often missing, e.g., single connection or multiplexing. Likewise, the DPI often runs into the void, since there is no contextual information regarding the observed application.
In the proposed research project, the methods of flow aggregation and DPI will be used complementarily. Key aspects of the investigations are a significant reduction of the data volume to be analyzed at the network sensor, the examination of alarm relevance, the monitoring of data flows also in virtual environments, analyses of cryptographic traffic to infer supported applications and applied protocols, and methods for cooperative analysis within the administrative domain. Problems to be solved include an accurate identification of applications (including observed protocol dialects, if distinguishable) providing context for the DPI to allow a dynamic adaptation of the signature bases to the context, an efficient aggregation of security information from the application layer to AppFlows to allow analysis relocations, the aggregation of information beneath the network layer to enable the integration of virtual systems into the monitoring, and the extraction of parameters from initiating handshakes during connection establishment of encrypted channels to detect vulnerabilities raised by outdated crypto methods.