@inproceedings{KurbelNowakAzodietal.2015,
  author    = {Kurbel, Karl and Nowak, Dawid and Azodi, Amir and Jaeger, David and Meinel, Christoph and Cheng, Feng and Sapegin, Andrey and Gawron, Marian and Morelli, Frank and Stahl, Lukas and Kerl, Stefan and Janz, Mariska and Hadaya, Abdulmasih and Ivanov, Ivaylo and Wiese, Lena and Neves, Mariana and Schapranow, Matthieu-Patrick and F{\"a}hnrich, Cindy and Feinbube, Frank and Eberhardt, Felix and Hagen, Wieland and Plauth, Max and Herscheid, Lena and Polze, Andreas and Barkowsky, Matthias and Dinger, Henriette and Faber, Lukas and Montenegro, Felix and Czach{\´o}rski, Tadeusz and Nycz, Monika and Nycz, Tomasz and Baader, Galina and Besner, Veronika and Hecht, Sonja and Schermann, Michael and Krcmar, Helmut and Wiradarma, Timur Pratama and Hentschel, Christian and Sack, Harald and Abramowicz, Witold and Sokolowska, Wioletta and Hossa, Tymoteusz and Opalka, Jakub and Fabisz, Karol and Kubaczyk, Mateusz and Cmil, Milena and Meng, Tianhui and Dadashnia, Sharam and Niesen, Tim and Fettke, Peter and Loos, Peter and Perscheid, Cindy and Schwarz, Christian and Schmidt, Christopher and Scholz, Matthias and Bock, Nikolai and Piller, Gunther and B{\"o}hm, Klaus and Norkus, Oliver and Clark, Brian and Friedrich, Bj{\"o}rn and Izadpanah, Babak and Merkel, Florian and Schweer, Ilias and Zimak, Alexander and Sauer, J{\"u}rgen and Fabian, Benjamin and Tilch, Georg and M{\"u}ller, David and Pl{\"o}ger, Sabrina and Friedrich, Christoph M. and Engels, Christoph and Amirkhanyan, Aragats and van der Walt, Est{\´e}e and Eloff, J. H. P. and Scheuermann, Bernd and Weinknecht, Elisa},
  title     = {HPI Future SOC Lab},
  editor    = {Meinel, Christoph and Polze, Andreas and Oswald, Gerhard and Strotmann, Rolf and Seibold, Ulrich and Schulzki, Bernhard},
  url       = {http://nbn-resolving.de/urn:nbn:de:kobv:517-opus4-102516},
  pages     = {iii, 154},
  year      = {2015},
  abstract  = {Das Future SOC Lab am HPI ist eine Kooperation des Hasso-Plattner-Instituts mit verschiedenen Industriepartnern. Seine Aufgabe ist die Erm{\"o}glichung und F{\"o}rderung des Austausches zwischen Forschungsgemeinschaft und Industrie. Am Lab wird interessierten Wissenschaftlern eine Infrastruktur von neuester Hard- und Software kostenfrei f{\"u}r Forschungszwecke zur Verf{\"u}gung gestellt. Dazu z{\"a}hlen teilweise noch nicht am Markt verf{\"u}gbare Technologien, die im normalen Hochschulbereich in der Regel nicht zu finanzieren w{\"a}ren, bspw. Server mit bis zu 64 Cores und 2 TB Hauptspeicher. Diese Angebote richten sich insbesondere an Wissenschaftler in den Gebieten Informatik und Wirtschaftsinformatik. Einige der Schwerpunkte sind Cloud Computing, Parallelisierung und In-Memory Technologien. In diesem Technischen Bericht werden die Ergebnisse der Forschungsprojekte des Jahres 2015 vorgestellt. Ausgew{\"a}hlte Projekte stellten ihre Ergebnisse am 15. April 2015 und 4. November 2015 im Rahmen der Future SOC Lab Tag Veranstaltungen vor.},
  language  = {en}
}
@phdthesis{Jaeger2018,
  author    = {Jaeger, David},
  title     = {Enabling Big Data security analytics for advanced network attack detection},
  doi       = {10.25932/publishup-43571},
  url       = {http://nbn-resolving.de/urn:nbn:de:kobv:517-opus4-435713},
  school      = {Universit{\"a}t Potsdam},
  pages     = {XVII, 201, XXXIII},
  year      = {2018},
  abstract  = {The last years have shown an increasing sophistication of attacks against enterprises. Traditional security solutions like firewalls, anti-virus systems and generally Intrusion Detection Systems (IDSs) are no longer sufficient to protect an enterprise against these advanced attacks. One popular approach to tackle this issue is to collect and analyze events generated across the IT landscape of an enterprise. This task is achieved by the utilization of Security Information and Event Management (SIEM) systems. However, the majority of the currently existing SIEM solutions is not capable of handling the massive volume of data and the diversity of event representations. Even if these solutions can collect the data at a central place, they are neither able to extract all relevant information from the events nor correlate events across various sources. Hence, only rather simple attacks are detected, whereas complex attacks, consisting of multiple stages, remain undetected. Undoubtedly, security operators of large enterprises are faced with a typical Big Data problem. In this thesis, we propose and implement a prototypical SIEM system named Real-Time Event Analysis and Monitoring System (REAMS) that addresses the Big Data challenges of event data with common paradigms, such as data normalization, multi-threading, in-memory storage, and distributed processing. In particular, a mostly stream-based event processing workflow is proposed that collects, normalizes, persists and analyzes events in near real-time. In this regard, we have made various contributions in the SIEM context. First, we propose a high-performance normalization algorithm that is highly parallelized across threads and distributed across nodes. Second, we are persisting into an in-memory database for fast querying and correlation in the context of attack detection. Third, we propose various analysis layers, such as anomaly- and signature-based detection, that run on top of the normalized and correlated events. As a result, we demonstrate our capabilities to detect previously known as well as unknown attack patterns. Lastly, we have investigated the integration of cyber threat intelligence (CTI) into the analytical process, for instance, for correlating monitored user accounts with previously collected public identity leaks to identify possible compromised user accounts. In summary, we show that a SIEM system can indeed monitor a large enterprise environment with a massive load of incoming events. As a result, complex attacks spanning across the whole network can be uncovered and mitigated, which is an advancement in comparison to existing SIEM systems on the market.},
  language  = {en}
}
@article{JaegerGraupnerPelchenetal.2018,
  author    = {Jaeger, David and Graupner, Hendrik and Pelchen, Chris and Cheng, Feng and Meinel, Christoph},
  title     = {Fast Automated Processing and Evaluation of Identity Leaks},
  series = {International journal of parallel programming},
  volume    = {46},
  journal   = {International journal of parallel programming},
  number    = {2},
  publisher = {Springer},
  address   = {New York},
  issn      = {0885-7458},
  doi       = {10.1007/s10766-016-0478-6},
  pages     = {441 -- 470},
  year      = {2018},
  abstract  = {The relevance of identity data leaks on the Internet is more present than ever. Almost every week we read about leakage of databases with more than a million users in the news. Smaller but not less dangerous leaks happen even multiple times a day. The public availability of such leaked data is a major threat to the victims, but also creates the opportunity to learn not only about security of service providers but also the behavior of users when choosing passwords. Our goal is to analyze this data and generate knowledge that can be used to increase security awareness and security, respectively. This paper presents a novel approach to the processing and analysis of a vast majority of bigger and smaller leaks. We evolved from a semi-manual to a fully automated process that requires a minimum of human interaction. Our contribution is the concept and a prototype implementation of a leak processing workflow that includes the extraction of digital identities from structured and unstructured leak-files, the identification of hash routines and a quality control to ensure leak authenticity. By making use of parallel and distributed programming, we are able to make leaks almost immediately available for analysis and notification after they have been published. Based on the data collected, this paper reveals how easy it is for criminals to collect lots of passwords, which are plain text or only weakly hashed. We publish those results and hope to increase not only security awareness of Internet users but also security on a technical level on the service provider side.},
  language  = {en}
}
@article{SapeginJaegerChengetal.2017,
  author    = {Sapegin, Andrey and Jaeger, David and Cheng, Feng and Meinel, Christoph},
  title     = {Towards a system for complex analysis of security events in large-scale networks},
  series = {Computers \& security : the international journal devoted to the study of the technical and managerial aspects of computer security},
  volume    = {67},
  journal   = {Computers \& security : the international journal devoted to the study of the technical and managerial aspects of computer security},
  publisher = {Elsevier Science},
  address   = {Oxford},
  issn      = {0167-4048},
  doi       = {10.1016/j.cose.2017.02.001},
  pages     = {16 -- 34},
  year      = {2017},
  abstract  = {After almost two decades of development, modern Security Information and Event Management (SIEM) systems still face issues with normalisation of heterogeneous data sources, high number of false positive alerts and long analysis times, especially in large-scale networks with high volumes of security events. In this paper, we present our own prototype of SIEM system, which is capable of dealing with these issues. For efficient data processing, our system employs in-memory data storage (SAP HANA) and our own technologies from the previous work, such as the Object Log Format (OLF) and high-speed event normalisation. We analyse normalised data using a combination of three different approaches for security analysis: misuse detection, query-based analytics, and anomaly detection. Compared to the previous work, we have significantly improved our unsupervised anomaly detection algorithms. Most importantly, we have developed a novel hybrid outlier detection algorithm that returns ranked clusters of anomalies. It lets an operator of a SIEM system to concentrate on the several top-ranked anomalies, instead of digging through an unsorted bundle of suspicious events. We propose to use anomaly detection in a combination with signatures and queries, applied on the same data, rather than as a full replacement for misuse detection. In this case, the majority of attacks will be captured with misuse detection, whereas anomaly detection will highlight previously unknown behaviour or attacks. We also propose that only the most suspicious event clusters need to be checked by an operator, whereas other anomalies, including false positive alerts, do not need to be explicitly checked if they have a lower ranking. We have proved our concepts and algorithms on a dataset of 160 million events from a network segment of a big multinational company and suggest that our approach and methods are highly relevant for modern SIEM systems.},
  language  = {en}
}
@book{ZhangPlauthEberhardtetal.2020,
  author    = {Zhang, Shuhao and Plauth, Max and Eberhardt, Felix and Polze, Andreas and Lehmann, Jens and Sejdiu, Gezim and Jabeen, Hajira and Servadei, Lorenzo and M{\"o}stl, Christian and B{\"a}r, Florian and Netzeband, Andr{\´e} and Schmidt, Rainer and Knigge, Marlene and Hecht, Sonja and Prifti, Loina and Krcmar, Helmut and Sapegin, Andrey and Jaeger, David and Cheng, Feng and Meinel, Christoph and Friedrich, Tobias and Rothenberger, Ralf and Sutton, Andrew M. and Sidorova, Julia A. and Lundberg, Lars and Rosander, Oliver and Sk{\"o}ld, Lars and Di Varano, Igor and van der Walt, Est{\´e}e and Eloff, Jan H. P. and Fabian, Benjamin and Baumann, Annika and Ermakova, Tatiana and Kelkel, Stefan and Choudhary, Yash and Cooray, Thilini and Rodr{\´i}guez, Jorge and Medina-P{\´e}rez, Miguel Angel and Trejo, Luis A. and Barrera-Animas, Ari Yair and Monroy-Borja, Ra{\´u}l and L{\´o}pez-Cuevas, Armando and Ram{\´i}rez-M{\´a}rquez, Jos{\´e} Emmanuel and Grohmann, Maria and Niederleithinger, Ernst and Podapati, Sasidhar and Schmidt, Christopher and Huegle, Johannes and de Oliveira, Roberto C. L. and Soares, F{\´a}bio Mendes and van Hoorn, Andr{\´e} and Neumer, Tamas and Willnecker, Felix and Wilhelm, Mathias and Kuster, Bernhard},
  title     = {HPI Future SOC Lab - Proceedings 2017},
  number    = {130},
  editor    = {Meinel, Christoph and Polze, Andreas and Beins, Karsten and Strotmann, Rolf and Seibold, Ulrich and R{\"o}dszus, Kurt and M{\"u}ller, J{\"u}rgen},
  publisher = {Universit{\"a}tsverlag Potsdam},
  address   = {Potsdam},
  isbn      = {978-3-86956-475-3},
  issn      = {1613-5652},
  doi       = {10.25932/publishup-43310},
  url       = {http://nbn-resolving.de/urn:nbn:de:kobv:517-opus4-433100},
  publisher      = {Universit{\"a}t Potsdam},
  pages     = {ix, 235},
  year      = {2020},
  abstract  = {The "HPI Future SOC Lab" is a cooperation of the Hasso Plattner Institute (HPI) and industry partners. Its mission is to enable and promote exchange and interaction between the research community and the industry partners. The HPI Future SOC Lab provides researchers with free of charge access to a complete infrastructure of state of the art hard and software. This infrastructure includes components, which might be too expensive for an ordinary research environment, such as servers with up to 64 cores and 2 TB main memory. The offerings address researchers particularly from but not limited to the areas of computer science and business information systems. Main areas of research include cloud computing, parallelization, and In-Memory technologies. This technical report presents results of research projects executed in 2017. Selected projects have presented their results on April 25th and November 15th 2017 at the Future SOC Lab Day events.},
  language  = {en}
}