Intrusion Detection and Honeypots

Today, IT systems are under attack all the time. Intrusion detection systems (IDS) are used to distinguish legitimate from malicious access. Usually, IDS identify attacks on the basis of stored patterns or abnormal network traffic. The reaction to attacks – alarm notification to administrators, automatic preventive mechanisms, migration of services, … - strongly depends on both the kind of attack and the application area where the components under attack are integrated.

  • Complex Heterogeneous Sensor Setups
  • In-Time Rating, Warning and Alerting for Situational Awareness
  • Automated Signature Generation
  • Cluster-Based Anomaly Detection
  • Multi-Stage Attack Correlation
  • DNS based IDS Alerting

For the collection of attack patterns and for a profound classification of the corresponding threat potential, “honeypots” turned out to be extraordinarily useful. Basically, honeypots are “victim systems” which keep track of attacks in a controlled way. Thus, they provide deep insight into the approach taken by the attacker and – in some cases - into the internal mechanisms of the malware captured.

  • Proactive Attack Sensors complement Intrusion Detection
  • Automation of Attack Analysis and Classification
  • Active Sensor Development
  • Malware Traps

The work group Communication Systems has more than 10 years of experience in this field. In close co-operation with the Federal Office for Information Security (BSI) these activities have been substantially intensified since 2007.

As a central component of comprehensive, real-world oriented research, the work group operates a system of different honeypots with sensors within the networks of different internet service providers. Valuable information is also collected via several sensors inside the university network as well as from the extensive integration into both the national and the international “honeypot community”. Some honeypot components developed by members of the work group have been deployed world-wide.

Our >>> SecLab pages provide a realtime overview of automated analysis results for the data we collect in our honeynet. Trends like the amount of attacks, the geographic locations of attacking systems, or collected malware can help in detecting new phenomenons as worm outbreaks or novel and area-wide exploited vulnerabilities. The sensor systems and analysis methods are being constantly improved and further developed to increase the lab's early threat detection capabilities.

The work group is proud of Tillmann Werner who received the AFCEA student award 2008 for his diploma thesis on “automatic generation of complex intrusion detection signatures”. The thesis shows innovative ways how to automatically compute detection patterns from samples collected in honeypot systems. This allows for a rapid integration into intrusion detection systems and may improve the protection from attacks unknown so far. After finishing his diploma in computer science, Tillmann Werner joined the work group as a scientific assistant.


For further information please contact: