TY - THES A1 - Roschke, Sebastian T1 - Towards high quality security event correlation using in-memory and multi-core processing Y1 - 2011 CY - Potsdam ER - TY - JOUR A1 - Roschke, Sebastian A1 - Cheng, Feng A1 - Meinel, Christoph T1 - An alert correlation platform for memory-supported techniques JF - Concurrency and computation : practice & experience N2 - Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. False-positive alerts are a popular problem for most IDS approaches. The solution to address this problem is to enhance the detection process by correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished fast, which is a challenging task as the amount of alerts in large-scale IDS deployments is significantly high. We identifytextitdata storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. We propose and implement a highly efficient alert correlation platform. For storage, a column-based database, an In-Memory alert storage, and memory-based index tables lead to significant improvements of the performance. For processing, algorithms are designed and implemented which are optimized for In-Memory databases, e.g. an attack graph-based correlation algorithm. The platform can be distributed over multiple processing units to share memory and processing power. A standardized interface is designed to provide a unified view of result reports for end users. The efficiency of the platform is tested by practical experiments with several alert storage approaches, multiple algorithms, as well as a local and a distributed deployment. KW - memory-based correlation KW - memory-based clustering KW - memory-based databases KW - IDS management Y1 - 2012 U6 - https://doi.org/10.1002/cpe.1750 SN - 1532-0626 VL - 24 IS - 10 SP - 1123 EP - 1136 PB - Wiley-Blackwell CY - Hoboken ER - TY - JOUR A1 - Roschke, Sebastian A1 - Cheng, Feng A1 - Meinel, Christoph T1 - High-quality attack graph-based IDS correlation JF - Logic journal of the IGPL N2 - Intrusion Detection Systems are widely deployed in computer networks. As modern attacks are getting more sophisticated and the number of sensors and network nodes grow, the problem of false positives and alert analysis becomes more difficult to solve. Alert correlation was proposed to analyse alerts and to decrease false positives. Knowledge about the target system or environment is usually necessary for efficient alert correlation. For representing the environment information as well as potential exploits, the existing vulnerabilities and their Attack Graph (AG) is used. It is useful for networks to generate an AG and to organize certain vulnerabilities in a reasonable way. In this article, a correlation algorithm based on AGs is designed that is capable of detecting multiple attack scenarios for forensic analysis. It can be parameterized to adjust the robustness and accuracy. A formal model of the algorithm is presented and an implementation is tested to analyse the different parameters on a real set of alerts from a local network. To improve the speed of the algorithm, a multi-core version is proposed and a HMM-supported version can be used to further improve the quality. The parallel implementation is tested on a multi-core correlation platform, using CPUs and GPUs. KW - Correlation KW - attack graph KW - HMM KW - multi-core KW - IDS Y1 - 2013 U6 - https://doi.org/10.1093/jigpal/jzs034 SN - 1367-0751 VL - 21 IS - 4 SP - 571 EP - 591 PB - Oxford Univ. Press CY - Oxford ER - TY - BOOK A1 - Meinel, Christoph A1 - Willems, Christian A1 - Roschke, Sebastian A1 - Schnjakin, Maxim T1 - Virtualisierung und Cloud Computing : Konzepte, Technologiestudie, Marktübersicht N2 - Virtualisierung und Cloud Computing gehören derzeit zu den wichtigsten Schlagworten für Betreiber von IT Infrastrukturen. Es gibt eine Vielzahl unterschiedlicher Technologien, Produkte und Geschäftsmodelle für vollkommen verschiedene Anwendungsszenarien. Die vorliegende Studie gibt zunächst einen detaillierten Überblick über aktuelle Entwicklungen in Konzepten und Technologien der Virtualisierungstechnologie – von klassischer Servervirtualisierung über Infrastrukturen für virtuelle Arbeitsplätze bis zur Anwendungsvirtualisierung und macht den Versuch einer Klassifikation der Virtualisierungsvarianten. Bei der Betrachtung des Cloud Computing-Konzepts werden deren Grundzüge sowie verschiedene Architekturvarianten und Anwendungsfälle eingeführt. Die ausführliche Untersuchung von Vorteilen des Cloud Computing sowie möglicher Bedenken, die bei der Nutzung von Cloud-Ressourcen im Unternehmen beachtet werden müssen, zeigt, dass Cloud Computing zwar große Chancen bietet, aber nicht für jede Anwendung und nicht für jeden rechtlichen und wirtschaftlichen Rahmen in Frage kommt.. Die anschließende Marktübersicht für Virtualisierungstechnologie zeigt, dass die großen Hersteller – Citrix, Microsoft und VMware – jeweils Produkte für fast alle Virtualisierungsvarianten anbieten und hebt entscheidende Unterschiede bzw. die Stärken der jeweiligen Anbieter heraus. So ist beispielsweise die Lösung von Citrix für Virtual Desktop Infrastructures sehr ausgereift, während Microsoft hier nur auf Standardtechnologie zurückgreifen kann. VMware hat als Marktführer die größte Verbreitung in Rechenzentren gefunden und bietet als einziger Hersteller echte Fehlertoleranz. Microsoft hingegen punktet mit der nahtlosen Integration ihrer Virtualisierungsprodukte in bestehende Windows-Infrastrukturen. Im Bereich der Cloud Computing-Systeme zeigen sich einige quelloffene Softwareprojekte, die durchaus für den produktiven Betrieb von sogenannten privaten Clouds geeignet sind. N2 - Virtualization and Cloud Computing belong to the most important issues for operators of large ICT infrastructures today. There are a large number of various technologies, products, and business models for entirely different application scenarios. The study at hand gives a detailed overview on latest developments in concepts and technologies of virtualization – beginning with classic server virtualization, continuing with infrastructures for virtual workplaces, through to application virtualization and makes an attempt to classify all these variants of virtualization. When investigating on the concepts of Cloud Computing, the report introduces basic principles as well as different types of architecture and use cases. The extensive analysis of benefits of Cloud Computing and possible reservations when using cloud resources within an enterprise context is evidence that Cloud Computing offers great opportunities, but is not worth considering for any kind of application scenario, legal framework or business scenario. The subsequent market study on virtualization technology shows that each of the major manufacturers – Citrix, Microsoft, and VMware – offer products for any variant of virtualization and highlights the important differences between the products and the respective strengths of the vendors. For example, the Citrix solution on Virtual Desktop Infrastructures comes up very well-engineered, while Microsoft can only rely on standard technology in this field. VMware, the market leader in virtualization technology, has gained the biggest popularity in data centers and offers the only product implementing real fault tolerance. On the other hand, Microsoft is able to score with seamless integration of their virtualization products into existing Windows-based infrastructures. In the area of Cloud Computing systems, there are some open source software projects that are very possibly suitable for the productive operation of so called private clouds. T3 - Technische Berichte des Hasso-Plattner-Instituts für Digital Engineering an der Universität Potsdam - 44 KW - Virtualisierung KW - Cloud Computing KW - Virtual Desktop Infrastructure KW - Anwendungsvirtualisierung KW - Marktübersicht KW - virtualization KW - cloud computing KW - virtual desktop infrastructure KW - application virtualization KW - market study Y1 - 2011 U6 - http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:kobv:517-opus-49708 SN - 978-3-86956-113-4 ER -