Search the Dagstuhl Website
Looking for information on the websites of the individual seminars? - Then please:
Not found what you are looking for? - Some of our services have separate websites, each with its own search option. Please check the following list:
Schloss Dagstuhl - LZI - Logo
Schloss Dagstuhl Services
Within this website:
External resources:
  • DOOR (for registering your stay at Dagstuhl)
  • DOSA (for proposing future Dagstuhl Seminars or Dagstuhl Perspectives Workshops)
Within this website:
External resources:
Within this website:
External resources:
  • the dblp Computer Science Bibliography

Dagstuhl Perspectives Workshop 08102

Network Attack Detection and Defense

( Mar 02 – Mar 06, 2008 )

(Click in the middle of the image to enlarge)

Please use the following short url to reference this page:



The increasing dependence of human society on information technology (IT) systems requires appropriate measures to cope with their misuse. The growing potential of threats, which make these systems more and more vulnerable, is caused by the complexity of the technologies themselves and by the growing number of individuals which are able to abuse the systems. Subversive insiders, hackers, and terrorists get better and better opportunities for attacks. In industrial countries this concerns both numerous companies and the critical infrastructures, e.g. the health care system, the traffic system, power supply, trade (in particular e-commerce), or the military protection.

In today’s Internet there is a ubiquitous threat of attacks for each user. Most well-known examples are denial of service attacks and spam mails. However, the range of threats to the Internet and its users has become meanwhile much broader. It ranges from worm attacks via the infiltration of malware till sophisticated intrusions into dedicated computer systems. The Internet itself provides the means to automate attack execution and to make them more and more sophisticated. The protection against these threats and the mitigation of their effects has become a crucial issue for the use of the Internet. Complementary to preventive security measures, reactive approaches are increasingly applied to counter these threats. Reactive approaches allow detecting ongoing attacks and to trigger responses and counter measures to prevent further damage.

Network monitoring and flow analysis has been developed as complementary approach for the detection of network attacks. They aim at the detection of network anomalies based on traffic measurements. Their importance arose with the increasing appearance of denial of service attacks and worm evasions, which are less efficient to detect with intrusion detection systems.

Reactive measures comprise beside the classical virus scanner intrusion detection and flow analysis. The development of intrusion detection systems began already in the eighties. Intrusion detection systems possess a prime importance as reactive measures. They pursue two complementary approaches: anomaly detection, which aims at the exposure of abnormal user behavior, and misuse detection, which focuses on the detection of attacks in audit trails described by patterns of known security violations. A wide range of commercial intrusion detection products has been offered meanwhile; especially for misuse detection. The deployment of the intrusion detection technology still evokes a lot of unsolved problems. These concern among others the still high false positive rate in practical use, the scalability of the supervised domains, and explanatory power of anomaly-based intrusion indications. In recent years intrusion detection has received a wider research interest which increased the efficiency of the technology, in particular in connection with other approaches e.g. firewalling, honeypots, intrusion prevention.

In recent years network monitoring and flow analysis has been developed as com-plementary approach for the detection of network attacks. Flow analysis aims at the detection of network anomalies based on traffic measurements. Their importance arose with the increasing appearance of denial of service attacks and worm evasions which are less efficient to detect with intrusion detection systems. The flow analysis community developed two approaches for high speed data collection: flow monitoring and packet sampling. Flow monitoring aims to collect statistical information about specific portions of the overall network traffic, e.g. information about end-to-end transport layer connections. On the other hand, packet sampling reduces the traffic using explicit filters or statistical sampling algorithms.

There is an urgent need to coordinate the research activities in intrusion detection and network monitoring. For example, sampling and flow monitoring have been developed as important methods in the network monitoring field (for accounting, charging, and security). They are more and more applied for attack detection (anomaly detection, flow based signatures). This, however, requires a close cooperation of the two communities. The same applies to the intrusion detection community for the detection of worm epidemics and denial of service attacks. Here traffic analysis can help to make the detection procedure more effective. This objective makes the subject of the seminar to be rather cross-disciplinary.

  • Joachim Biskup (TU Dortmund, DE) [dblp]
  • Lothar Braun (Universität Tübingen, DE) [dblp]
  • Torsten Braun (Universität Bern, CH)
  • Roland Büschkes (RWE AG - Essen, DE)
  • Georg Carle (TU München, DE) [dblp]
  • Marc C. Dacier (Institut Eurécom, Sophia-Antipolis Cedex, FR) [dblp]
  • Hervé Debar (Orange Labs - Caen, FR) [dblp]
  • Falko Dressler (Universität Erlangen-Nürnberg, DE) [dblp]
  • Anja Feldmann (TU Berlin, DE) [dblp]
  • Ali Fessi (TU München, DE)
  • Ulrich Flegel (SAP SE - Karlsruhe, DE) [dblp]
  • Dirk Haage (Universität Tübingen, DE)
  • Bernhard Hämmerli (Acris GmbH, Luzern, CH)
  • Peter Herrmann (NTNU - Trondheim, NO) [dblp]
  • Ralph Holz (Universität Tübingen, DE) [dblp]
  • Thorsten Holz (Universität Mannheim, DE) [dblp]
  • Marko Jahnke (FGAN - Wachtberg, DE) [dblp]
  • Richard A. Kemmerer (University of California - Santa Barbara, US) [dblp]
  • Engin Kirda (Institut Eurécom, Sophia-Antipolis Cedex, FR) [dblp]
  • Jan Kohlrausch (DFN-CERT Services GmbH, DE) [dblp]
  • Hartmut König (BTU Cottbus, DE) [dblp]
  • Christopher Kruegel (University of California - Santa Barbara, US) [dblp]
  • Pavel Laskov (Universität Tübingen, DE) [dblp]
  • Tobias Limmer (Universität Erlangen-Nürnberg, DE)
  • Norbert Luttenberger (Universität Kiel, DE)
  • Michael Meier (TU Dortmund, DE) [dblp]
  • Stephan Neuhaus (Universität des Saarlandes, DE)
  • Konrad Rieck (Fraunhofer Institut - Berlin, DE) [dblp]
  • Sebastian Schmerl (BTU Cottbus, DE) [dblp]
  • Radu State (University of Luxembourg, LU) [dblp]
  • James P. G. Sterbenz (University of Kansas - Lawrence, US) [dblp]
  • Jens Tölle (Fraunhofer FKIE - Wachtberg, DE) [dblp]
  • Michael Vogel (BTU Cottbus, DE)
  • Stephen Wolthusen (Royal Holloway University of London, GB) [dblp]
  • Tanja Zseby (Fraunhofer FOKUS - Berlin, DE) [dblp]

Related Seminars
  • Dagstuhl Seminar 12061: Network Attack Detection and Defense Early Warning Systems - Challenges and Perspectives (2012-02-05 - 2012-02-10) (Details)

  • security / cryptography
  • networks

  • Intrusion detection and prevention
  • attack response and countermeasures
  • reactive security
  • automated security
  • survivability and self-protection
  • malware
  • vulnerability analysis
  • risk assessment
  • network monitoring
  • flow analysis
  • denial of service detection and response
  • event correlation