Despite Intrusion Detection Systems (IDSes) becoming more and more sophisticated, its users still struggle with a high number of false-positive alarms and over-alerting, one among many factors that leads to alarm fatigue.
Existing security solutions for rapidly-changing, modern clouds still struggle with too many false-positive alarms. We research methods that provide stronger indicators of compromise and better causal dependencies between events. Hence, we can identify long-running, multi-step cyber attacks while providing context-relevant explanations.
Existing security solutions struggle to keep track with the ever-increasing complexity of modern cloud applications because they often provide too many false-positive or irrelevant alarms. We envision that the next generation of security solutions need to analyze more aspects of applications at runtime and shall better assess the relevance of security alarms, especially in rapidly-changing and heavily interconnected cloud applications. Research that enables this vision revolves around better ideas to enrich security alarms with contextual knowledge, have causal dependencies between alarms by design, and analyzing security alarms from a variety of data sources.
On the one hand, we focus on designing indicators of compromise that are tailored to the application and provide proper context information. On the other hand, we are enriching existing intrusion detection algorithms so that they can process data from a variety of sources, while emphasizing causal links instead of simple correlations. Finally, we implement and evaluate most of our prototypes in modern cloud environments that closely mirror production environments.
Our latest research projects cover the following topics:
- Reconstruction of long-running, multi-step cyber attacks
- Anomaly detection in distributed tracing data
- Detection of reconnaissance attempts in web applications
- Assessing the severity of vulnerabilities by analyzing their external reachability