TMA portal

Institution

Current Research in AD

Keywords

Needing what?

Un. Lancaster

(David Hutchinson, Kave’ Salamatian)

EC projects, namely ANA, INTERSECTION, ECODE and ResumeNet.

Methodologies for AD

AD on sampled data

Distributed AD

Sampling impact, resilience, PCA, Kalman Filter, Distributed AD

Evaluation environment (testbed and tools)

NTUA

(Symeon Papavassiliou)

Integrated multi-metric-multi-link (M3L) PCA-based AD. Impact of intelligent sampling techniques

PCA, Sampling impact

Real Packet traces, Netflow data (sampled and not).

Tools for generating synthetic anomalies.

Comparison of other AD methods (focus on sampling impact)

TU München

(Gerhard Münz)

Univariate and multivariate analysis of Netflow data.

Time series analysis, PCA

Evaluation and comparison of AD mechanisms, especially time-series based mechanisms.

Un. Twente

(Anna Sperotto, Giovane Moura)

Flow-based Intrusion Detection

Statistical modelling of malicious and normal user behaviour

Scalable NetFlow based detection of phishing attacks and botnets

User behaviour profiling, Phishing and Botnet detection

Access to network and host data (flows, server logs, mail logs)

Fraunhofer/Fokus

(Tanja Zseby)

Worm detection in DNS traffic, node cooperation for network protection, influence of sampling techniques, IPFIX-based metrics

Sampling techniques, cooperation techniques, IPFIX/PSAMP

Traces (DNS and others)

Hebrew Un. Jerusalem

(Danny Dolev, Shimrit Tzur, Tal Anker)

Designed and implemented a full network intrusion prevention system (NIPS) based on two novel pattern matching algorithms, with a Snort compatible syntax.

Designed and implemented an anomaly based NIPS to detect DoS/DDoS attacks and web-related attacks.

NIDS, NIPS, HW assisted algorithms, anomaly based NIPS

Access to logs or to be able to test our engines in real networks

FORTH-ICS

(Michalis Polychronakis)

Developed attack detection algorithms that use heuristics on different interpretations of the packet payload

Packet inspection

would be happy to collaborate on any aspect of payload-based anomaly detection

FTW

(Alessandro D’Alconzo, Andreas Berger)

AD with applications to 3G networks

Novel statistical-based detection algorithms based on the analysis of time-series of traffic feature distribution

Ability to associate each individual packet to the Mobile Station (MS) that sent or received it

Network-based malware detection

SIP fingerprinting for SPIT and DoS detection

3G networks, SIP, malware, NIDS, SPIT

developing/testing models/tools for the generation of synthetic anomalies

Un. Of Pisa

(Christian Callegari)

Development of several AD algorithms, based on advanced mathematical tools

Mathematical modelling

Access to real traffic traces, to test our algorithms and comparison with other methods

UPC (Barcelona)

Pere Barlet

Studying the impact of several sampling techniques on AD methods as well as on the design sampling-resilient anomaly detection techniques using Sampled NetFlow

Sampling impact, Sampling-resilient AD

Implementation of AD techniques from others who want to evaluate the impact of sampling on their methods using our measurement point at the Catalan NREN (10GE)

NEC Labs Europe

(Saverio Niccolini)

Application-layer anomaly detection for (SIP-based) multimedia communications (VoIP/IPTV)

application-layer, VoIP/IPTV, SPIT, SIP

Test algorithms on real packet level traffic traces or CDRs

Orange Labs

(Fredric Guyard)

Singular Spectrum Analysis based method for online detection of anomalies in time-series. Application to detection of anomalies in QoExperience indicators time-series

Spectral analysis, QoExperience

Cross comparison of methodology with existing ones

DANTE

(Maurizio Molina)

Quantitative cross comparison of commercial tools for AD on GÉANT network

Commercial tools benchmarking and deployment

Synthetic anomaly injection to test/tune tools

Cross comparison with novel methodologies

ETH Zurich

(Daniela Brauckoff, Bernhard Tellenbach,

Martin Burkhart, Xenofontas Dimitropoulos)

Anomaly injection in Netflow traffic traces (FLAME tool), Multi-domain privacy-preserving computation of AD metrics, use of Tsallis Entropy for AD, histogram analysis

Synthetic anomaly generation, Privacy, Entropy

Extend FLAME anomaly library

CICANT, Univ. Lusofona

(Nuno Garcia)

Self-similarity analysis on multidimensional characteristics of trace flows applied to AD

Mathematical modelling

Access to IP Packet traces, with or without payload

LAAS.fr

(Philippe Owezarski)

distributed anomaly detection and classification, assessment and validation of IDS, anomalous traffic modelling and generation, malicious traffic analysis

Anomaly classification, Synthetic anomaly generation, NIDS validation,

Malicious traffic analysis

Build a common database for anomalous traces

ENST

(Dario Rossi, Olivier Cappé, Céline Lévy-Leduc,

A.Lung-Yut-Fong,

F. Roueff,)

Distributed network AD, AD using NetFlow records and statistical methods

Mathematical modelling, statistics

Having access to real traffic traces to test our algorithms (or be able to test it in real networks)

ENS Lyon – CNRS, SiSyPhe Group (Patrice Abry, Pierre Borgnat, Guillaume Dewaele)

Traffic and Anomaly Classification, Benchmarking AD, Longitudinal studies of anomalies.

MultiResolution Methods, Statistics

Promote comparisons of AD methods (through exchanges of implemented methods and traces).

UPV/EHU (Bilbao) University of the Basque Country

(Armando Ferro)

Analysis of traffic load and algorithm impact in computing performance. A NIPS based on multiprocessor architecture. Performance modelling. ADAMANTIUM EC project related to QoE and VoIP/IPTV provision (SIP-based).

Performance Modelling

Parallel computing

Packet inspection.

QoExperience

academic tools for traffic analysis

Access to logs for modelling.

Algorithms for testing

Test our engines in real research networks

University of Napoli Federico II (Antonio Pescapè)

Distributed Architecture for real-time Intrusion Detection: traffic monitoring, information fusion, intrusion reaction. Reputation Models.

Behavior profiling: botnet detection, wireless security. Signal Processing approaches for Volume based Anomalies

Distributed detection architecture, user behaviour profiling, volume-based anomalies

Real Traces with Anomalies, Machine Learning Algorithms, comparison with other techniques

VTT

(Jorma Kilpi)

AD on server log data and security data. Tools for telecom network monitoring.

Data mining, security, data clustering, self-organizing maps (SOM), server log, network level analysis

Real data for algorithm benchmarking

Exchanging knowledge about AD algorithms and their practical benchmarking

UvA&AGH

(M.Mandjes,P.Zuraniewski)

Statistical tools for (quasi)on-line detection of model’s parameters change in analyzed time series

Statistical analysis, changepoint detection

Access to real data traces of specified traffic (VoIP)

University of Jyväskylä

(Tapani Ristaniemi)

Detection of deviation from normal behaviour of high-dimensional systems. Protection of complex systems against a huge variety of new threats, not just classical cases, while predicting the emergence of performance degradation.

Mathematical modelling, statistics

Access to real data sets for validation

AGH University of Science and Technology (Lucjan Janowski)

Traffic modelling focused on detecting DDoS and its influences on a user QoS/OoE. We are also interested in writing a tool helping easy comparison between different AD algorithms implemented in MATLAB.

DDoS, Traffic modelling, MATLAB, QoS/QoE

Traces containing DDoS attacks

Universidad Autónoma de Madrid (Felipe Mata)

evaluation and development of new AD algorithms exploiting MRTG and NetFlow records, in order to apply them in the detection of changes that can help capacity planning decisions

Capacity planning, MRTG