02. – 06. März 2008, Dagstuhl-Perspektive-Workshop 08102

Network Attack Detection and Defense


Georg Carle (TU München, DE)
Falko Dressler (Universität Erlangen-Nürnberg, DE)
Richard A. Kemmerer (University of California – Santa Barbara, US)
Hartmut König (BTU Cottbus, DE)
Christopher Kruegel (University of California – Santa Barbara, US)

Auskunft zu diesem Dagstuhl-Perspektive-Workshop erteilt

Dagstuhl Service Team


Dagstuhl Seminar Proceedings DROPS
Dagstuhl's Impact: Dokumente verfügbar


The increasing dependence of human society on information technology (IT) systems requires appropriate measures to cope with their misuse. The growing potential of threats, which make these systems more and more vulnerable, is caused by the complexity of the technologies themselves and by the growing number of individuals which are able to abuse the systems. Subversive insiders, hackers, and terrorists get better and better opportunities for attacks. In industrial countries this concerns both numerous companies and the critical infrastructures, e.g. the health care system, the traffic system, power supply, trade (in particular e-commerce), or the military protection.

In today’s Internet there is a ubiquitous threat of attacks for each user. Most well-known examples are denial of service attacks and spam mails. However, the range of threats to the Internet and its users has become meanwhile much broader. It ranges from worm attacks via the infiltration of malware till sophisticated intrusions into dedicated computer systems. The Internet itself provides the means to automate attack execution and to make them more and more sophisticated. The protection against these threats and the mitigation of their effects has become a crucial issue for the use of the Internet. Complementary to preventive security measures, reactive approaches are increasingly applied to counter these threats. Reactive approaches allow detecting ongoing attacks and to trigger responses and counter measures to prevent further damage.

Network monitoring and flow analysis has been developed as complementary approach for the detection of network attacks. They aim at the detection of network anomalies based on traffic measurements. Their importance arose with the increasing appearance of denial of service attacks and worm evasions, which are less efficient to detect with intrusion detection systems.

Reactive measures comprise beside the classical virus scanner intrusion detection and flow analysis. The development of intrusion detection systems began already in the eighties. Intrusion detection systems possess a prime importance as reactive measures. They pursue two complementary approaches: anomaly detection, which aims at the exposure of abnormal user behavior, and misuse detection, which focuses on the detection of attacks in audit trails described by patterns of known security violations. A wide range of commercial intrusion detection products has been offered meanwhile; especially for misuse detection. The deployment of the intrusion detection technology still evokes a lot of unsolved problems. These concern among others the still high false positive rate in practical use, the scalability of the supervised domains, and explanatory power of anomaly-based intrusion indications. In recent years intrusion detection has received a wider research interest which increased the efficiency of the technology, in particular in connection with other approaches e.g. firewalling, honeypots, intrusion prevention.

In recent years network monitoring and flow analysis has been developed as com-plementary approach for the detection of network attacks. Flow analysis aims at the detection of network anomalies based on traffic measurements. Their importance arose with the increasing appearance of denial of service attacks and worm evasions which are less efficient to detect with intrusion detection systems. The flow analysis community developed two approaches for high speed data collection: flow monitoring and packet sampling. Flow monitoring aims to collect statistical information about specific portions of the overall network traffic, e.g. information about end-to-end transport layer connections. On the other hand, packet sampling reduces the traffic using explicit filters or statistical sampling algorithms.

There is an urgent need to coordinate the research activities in intrusion detection and network monitoring. For example, sampling and flow monitoring have been developed as important methods in the network monitoring field (for accounting, charging, and security). They are more and more applied for attack detection (anomaly detection, flow based signatures). This, however, requires a close cooperation of the two communities. The same applies to the intrusion detection community for the detection of worm epidemics and denial of service attacks. Here traffic analysis can help to make the detection procedure more effective. This objective makes the subject of the seminar to be rather cross-disciplinary.

Related Dagstuhl-Perspektive-Workshop


  • Security / Cryptography
  • Networks


  • Intrusion detection and prevention
  • Attack response and countermeasures
  • Reactive security
  • Automated security
  • Survivability and self-protection
  • Malware
  • Vulnerability analysis
  • Risk assessment
  • Network monitoring
  • Flow analysis
  • Denial of service detection and response
  • Event correlation


In der Reihe Dagstuhl Reports werden alle Dagstuhl-Seminare und Dagstuhl-Perspektiven-Workshops dokumentiert. Die Organisatoren stellen zusammen mit dem Collector des Seminars einen Bericht zusammen, der die Beiträge der Autoren zusammenfasst und um eine Zusammenfassung ergänzt.


Download Übersichtsflyer (PDF).

Dagstuhl's Impact

Bitte informieren Sie uns, wenn eine Veröffentlichung ausgehend von Ihrem Seminar entsteht. Derartige Veröffentlichungen werden von uns in der Rubrik Dagstuhl's Impact separat aufgelistet  und im Erdgeschoss der Bibliothek präsentiert.


Es besteht weiterhin die Möglichkeit, eine umfassende Kollektion begutachteter Arbeiten in der Reihe Dagstuhl Follow-Ups zu publizieren.