Publications

Journal and magazine articles

1. TDSC

   Behavior-Based Anomaly Detection in Log Data of Physical Access Control Systems

   Skopik, Florian,  Wurzenberger, Markus, Höld, Georg, Landauer, Max, and Kuhn, Walter

   IEEE Transactions on Dependable and Secure Computing 2022

   Abs Bib HTML PDF Code Website

   Behavior-based anomaly detection (AD) approaches for enterprise-IT security are not easily applicable to other domains, such as embedded devices and IoT nodes in cyber-physical systems. AD approaches are usually highly optimized for specific purposes, tightly bound to domain-specific technologies and rely on a specific syntax of investigated data. Data from cyber-physical systems is however highly diverse, often poorly documented and not easily ingested for automated analysis. AECID provides an anomaly detection approach, that monitors unstructured textual event data (i.e., log data), and implements self-learning for autonomous operation. A parser generator establishes a model of normal system behavior on top of observed events, which then can be leveraged to detect anomalies as deviations from that baseline. The unsupervised anomaly detection approaches of AECID apply machine learning techniques to perform sequence analysis, correlation analysis and statistical tests of events represented in log data. This paper discusses AECID’s applicability in a building security system use case. A proof of concept demonstrates the effective detection of anomalies in log data of a building access control system stemming from card misuse, including stolen access cards and cloned cards.

   @article{9852310,
     author = {Skopik, Florian and Wurzenberger, Markus and H\"{o}ld, Georg and Landauer, Max and Kuhn, Walter},
     journal = {IEEE Transactions on Dependable and Secure Computing},
     title = {Behavior-Based Anomaly Detection in Log Data of Physical Access Control Systems},
     year = {2022},
     volume = {},
     number = {},
     pages = {1-18},
     doi = {10.1109/TDSC.2022.3197265},
     publisher = {IEEE Computer Society},
   }

2. TOPS

   Dealing with Security Alert Flooding: Using Machine Learning for Domain-Independent Alert Aggregation

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, and Rauber, Andreas

   ACM Trans. Priv. Secur. Apr 2022

   Abs Bib HTML PDF Code Website Data

   Intrusion Detection Systems (IDS) secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed for filtering, grouping, and correlating alerts. However, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF that include IP addresses. This makes the application of existing aggregation methods infeasible for alerts from host-based or anomaly-based IDSs that frequently lack such network-related data. In this paper, we therefore present a domain-independent alert aggregation technique. We introduce similarity measures and merging strategies for arbitrary semi-structured alerts and alert groups. Based on these metrics and techniques we propose an incremental procedure for the generation of abstract alert patterns that enable continuous classification of incoming alerts. Evaluations show that our approach is capable of reducing the number of alert groups for human review by around 80% and assigning attack classifiers to the groups with true positive rates of 80% and false positive rates lower than 5%.

   @article{10.1145/3510581,
     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Rauber, Andreas},
     title = {Dealing with Security Alert Flooding: Using Machine Learning for Domain-Independent Alert Aggregation},
     year = {2022},
     issue_date = {August 2022},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     volume = {25},
     number = {3},
     issn = {2471-2566},
     url = {https://doi.org/10.1145/3510581},
     doi = {10.1145/3510581},
     journal = {ACM Trans. Priv. Secur.},
     month = apr,
     articleno = {18},
     numpages = {36},
   }

3. IEE S&P

   Blind Spots of Security Monitoring in Enterprise Infrastructures: A Survey

   Skopik, Florian, Landauer, Max, and Wurzenberger, Markus

   IEEE Security & Privacy Forth coming 2022

   Abs Bib HTML PDF Website

   Cybersecurity monitoring today is laborious but straightforward: dump network traces at chokepoints in a network, collect log files from services, feed both to a proper security information and event management solution, and get alerted if something suspicious happens, right? Wrong!

   @article{9667540,
     author = {Skopik, Florian and Landauer, Max and Wurzenberger, Markus},
     journal = {IEEE Security \& Privacy},
     title = {Blind Spots of Security Monitoring in Enterprise Infrastructures: A Survey},
     year = {2022},
     month = {forth coming},
     volume = {},
     number = {},
     pages = {2-10},
     doi = {10.1109/MSEC.2021.3133764},
     publisher = {IEEE Computer Society},
   }

4. ERCIM

   Kyoushi Testbed Environment: A Model-driven Simulation Framework to Generate Open Log Data Sets for Security Evaluations

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, and Hotwagner, Wolfgang

   ERCIM News Apr 2022

   Abs Bib HTML PDF Code Website Data

   Cyber security leverages intrusion detection systems that analyse log data and network traffic to disclose suspicious activities and protect networks against cyberattacks. Verifying the functionality and measuring the effectiveness of these detection systems is not trivial, since it usually is not desirable to launch actual attacks in an organisation’s productive infrastructure. Therefore, such evaluations are often carried out in isolated testbeds, i.e., simulated networks comprising components and applications that are representative of their real-world counterparts in terms of configuration, scale, and utilisation. However, setting up and maintaining such testbeds is complex and labour-intensive, particularly when experiments are required to be reproducible and adaptable. To alleviate these issues, we developed the Kyoushi Testbed Environment, an open-source simulation framework that enables automatic and parallel testbed instantiation through model-driven design, simulation of normal user activities to generate a baseline workload, injection of attack scenarios with variations, and labelling of collected log data.

   @article{ercimkyoushi,
     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang},
     journal = {ERCIM News},
     title = {Kyoushi Testbed Environment: A Model-driven Simulation Framework to Generate Open Log Data Sets for Security Evaluations},
     year = {2022},
     month = apr,
     volume = {129},
     publisher = {ERCIM - The European Research Consortium for Informatics and Mathematics},
     issn = {0926-4981},
   }

5. IEE S&P

   Online Log Data Analysis With Efficient Machine Learning: A Review

   Skopik, Florian, Landauer, Max, and Wurzenberger, Markus

   IEEE Security & Privacy May 2022

   Abs Bib HTML PDF Code Website

   Logs are incrementally produced textual data that reflect events and their impact on technical systems. Their efficient analysis is key for operational cybersecurity. We investigate approaches beyond applying simple regular expressions and provide insights into novel machine learning mechanisms for parsing and analyzing log data for online anomaly detection.

   @article{9563044,
     author = {Skopik, Florian and Landauer, Max and Wurzenberger, Markus},
     journal = {IEEE Security \& Privacy},
     title = {Online Log Data Analysis With Efficient Machine Learning: A Review},
     year = {2022},
     volume = {20},
     number = {03},
     issn = {1558-4046},
     pages = {80-90},
     doi = {10.1109/MSEC.2021.3113275},
     publisher = {IEEE Computer Society},
     address = {Los Alamitos, CA, USA},
     month = may,
   }

6. IEE S&P

   The Seven Golden Principles of Effective Anomaly-Based Intrusion Detection

   Skopik, Florian, Landauer, Max, and Wurzenberger, Markus

   IEEE Security & Privacy Sep 2021

   Abs Bib HTML PDF Code Website

   The MITRE ATT&CK framework counts 530 ways to exploit enterprise systems—and every month new techniques are added. Cybersecurity vendors continuously offer new detective solutions, but purchasing, deploying, and maintaining a specific product is expensive. It’s time to reflect on the underlying principles of effective anomaly-based intrusion detection.

   @article{9478869,
     author = {Skopik, Florian and Landauer, Max and Wurzenberger, Markus},
     journal = {IEEE Security \& Privacy},
     title = {The Seven Golden Principles of Effective Anomaly-Based Intrusion Detection},
     year = {2021},
     volume = {19},
     number = {05},
     issn = {1558-4046},
     pages = {36-45},
     keywords = {intrusion detection;privacy;malware;monitoring;computer security;reliability},
     doi = {10.1109/MSEC.2021.3090444},
     publisher = {IEEE Computer Society},
     address = {Los Alamitos, CA, USA},
     month = sep,
   }

7. TREL

   Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

   IEEE Transactions on Reliability Mar 2021

   Abs Bib HTML PDF Website Data

   Evaluations of intrusion detection systems (IDS) require log datasets collected in realistic system environments. Existing testbeds therefore offer user simulations and attack scenarios that target specific use-cases. However, not only does the preparation of such testbeds require domain knowledge and time-consuming work, but also maintenance and modifications for other use-cases involve high manual efforts and repeated execution of tasks. In this article, we therefore propose to generate testbeds for IDS evaluation using strategies from model-driven engineering. In particular, our approach models system infrastructure, simulated normal behavior, and attack scenarios as testbed-independent modules. A transformation engine then automatically generates arbitrary numbers of testbeds, each with a particular set of characteristics and capable of running in parallel. Our approach greatly improves configurability and flexibility of testbeds and allows to reuse components across multiple scenarios. We use our proof-of-concept implementation to generate a labeled dataset for IDS evaluation that is published with this article.

   @article{9262078,
     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang and Rauber, Andreas},
     journal = {IEEE Transactions on Reliability},
     title = {Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed},
     year = {2021},
     volume = {70},
     number = {1},
     pages = {402-415},
     doi = {10.1109/TR.2020.3031317},
     month = mar,
     publisher = {IEEE},
   }

8. ERCIM

   DECEPT: Detecting Cyber-Physical Attacks using Machine Learning on Log Data

   Skopik, Florian,  Wurzenberger, Markus, and Landauer, Max

   ERCIM News Oct 2020

   Abs Bib HTML PDF Website

   Most current security solutions are tailored to protect against a narrow set of security threats and can only be applied to a specific application domain. However, even very different domains share commonalities, indicating that a generally applicable solution, to achieve advanced protection, should be possible. In fact, enterprise IT, facility management, smart manufacturing, energy grids, industrial IoT, fintech, and other domains, operate interconnected systems, which follow predefined processes and are employed according to specific usage policies. The events generated by the systems governed by these processes are usually recorded for maintenance, accountability, or auditing purposes. Such records contain valuable information that can be leveraged to detect any inconsistencies or deviations in the processes, and indicate anomalies potentially caused by attacks, misconfigurations or component failures. However, syntax, semantics, frequency, information entropy and level of detail of these data records vary dramatically and there is no uniform solution yet that understands all the different dialects and is able to perform reliable anomaly detection on top of these data records.

   @article{ercimdecept,
     author = {Skopik, Florian and Wurzenberger, Markus and Landauer, Max},
     journal = {ERCIM News},
     title = {DECEPT: Detecting Cyber-Physical Attacks using Machine Learning on Log Data},
     year = {2020},
     month = oct,
     volume = {123},
     publisher = {ERCIM - The European Research Consortium for Informatics and Mathematics},
     issn = {0926-4981},
   }

9. JISA

   synERGY: Cross-correlation of operational and contextual data to timely detect and mitigate attacks to cyber-physical systems

   Skopik, Florian, Landauer, Max,  Wurzenberger, Markus, Vormayr, Gernot, Milosevic, Jelena, Fabini, Joachim, Prüggler, Wolfgang, Kruschitz, Oskar, Widmann, Benjamin, Truckenthanner, Kevin, Rass, Stefan, Simmer, Michael, and Zauner, Christoph

   Journal of Information Security and Applications Oct 2020

   Abs Bib HTML PDF Code Website

   The degree of sophistication of modern cyber-attacks has increased in recent years, and in the future these attacks will more and more target cyber-physical systems (CPS). Unfortunately, today’s security solutions that are used for enterprise information technology (IT) infrastructures are not sufficient to protect CPS, which have largely different properties, involve heterogeneous technologies, and have an architecture that is tailored to specific physical processes. The objective of the synERGY project was to develop new methods, tools and processes for cross-layer anomaly detection (AD) to enable the early discovery of both cyber- and physical-attacks with impact on CPS. To this end, synERGY developed novel machine learning approaches to understand a system’s normal behaviour and detect consequences of security issues as deviations from the norm. The solution proposed by synERGY are flexibly adaptable to specific CPS layers, thus improving the detection capabilities. Moreover, synERGY interfaces with various organizational data sources, such as asset databases, configuration management, and risk data to facilitate the semi-automatic interpretation of detected anomalies. The synERGY approach was evaluated in a utility provider’s environment. This paper reports on the general architecture and the specific pitfalls that needed to be solved, during the design, implementation and deployment of the synERGY system. We foresee this work to be of benefit for researchers and practitioners, who design and implement security systems that correlate massive data from computer logs, the network or organizational context sources, to timely detect cyber attacks.

   @article{SKOPIK2020102544,
     journal = {Journal of Information Security and Applications},
     volume = {54},
     year = {2020},
     month = oct,
     issn = {2214-2126},
     doi = {https://doi.org/10.1016/j.jisa.2020.102544},
     url = {https://www.sciencedirect.com/science/article/pii/S2214212620300521},
     author = {Skopik, Florian and Landauer, Max and Wurzenberger, Markus and Vormayr, Gernot and Milosevic, Jelena and Fabini, Joachim and Prüggler, Wolfgang and Kruschitz, Oskar and Widmann, Benjamin and Truckenthanner, Kevin and Rass, Stefan and Simmer, Michael and Zauner, Christoph},
     publisher = {Elsevier},
   }

10. C&S

    System log clustering approaches for cyber security applications: A survey

    Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, and Rauber, Andreas

    Computers & Security May 2020

    Abs Bib HTML PDF Website

    Log files give insight into the state of a computer system and enable the detection of anomalous events relevant to cyber security. However, automatically analyzing log data is difficult since it contains massive amounts of unstructured and diverse messages collected from heterogeneous sources. Therefore, several approaches that condense or summarize log data by means of clustering techniques have been proposed. Picking the right approach for a particular application domain is, however, non-trivial, since algorithms are designed towards specific objectives and requirements. This paper therefore surveys existing approaches. It thereby groups approaches by their clustering techniques, reviews their applicability and limitations, discusses trends and identifies gaps. The survey reveals that approaches usually pursue one or more of four major objectives: overview and filtering, parsing and signature extraction, static outlier detection, and sequences and dynamic anomaly detection. Finally, this paper also outlines a concept and tool that support the selection of appropriate approaches based on user-defined requirements.

    @article{LANDAUER2020101739,
      title = {System log clustering approaches for cyber security applications: A survey},
      journal = {Computers & Security},
      volume = {92},
      pages = {101739},
      year = {2020},
      month = may,
      issn = {0167-4048},
      doi = {https://doi.org/10.1016/j.cose.2020.101739},
      url = {https://www.sciencedirect.com/science/article/pii/S0167404820300250},
      author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Rauber, Andreas},
      keywords = {Log clustering, Cyber security, Log mining, Signature extraction, Anomaly detection},
      publisher = {Elsevier},
    }

11. C&S

    Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection

    Landauer, Max,  Wurzenberger, Markus, Skopik, Florian, Settanni, Giuseppe, and Filzmoser, Peter

    Computers & Security Nov 2018

    Abs Bib HTML PDF Website

    Technological advances and increased interconnectivity have led to a higher risk of previously unknown threats. Cyber Security therefore employs Intrusion Detection Systems that continuously monitor log lines in order to protect systems from such attacks. Existing approaches use string metrics to group similar lines into clusters and detect dissimilar lines as outliers. However, such methods only produce static views on the data and do not sufficiently incorporate the dynamic nature of logs. Changes of the technological infrastructure therefore frequently require cluster reformations. Moreover, such approaches are not suited for detecting anomalies related to frequencies, periodic alterations and interdependencies of log lines. We therefore propose a dynamic log file anomaly detection methodology that incrementally groups log lines within time windows. Thereby, a novel clustering mechanism establishes links between otherwise isolated collections of clusters. Cluster evolution techniques analyze clusters from neighboring time windows and determine transitions such as splits or merges. A self-learning algorithm then detects anomalies in the temporal behavior of these evolving clusters by analyzing metrics derived from their developments. We apply a prototype in an illustrative scenario consisting of a log file containing known anomalies. We thereby investigate the influences of certain parameters on the detection ability and the runtime. The evaluation of this scenario shows that 61.8% of the dynamic changes of log line clusters are correctly identified, while the false alarm rate is only 0.7%. The ability of efficiently detecting these anomalies while self-adjusting to changes of the system environment suggests the applicability of the introduced approach.

    @article{LANDAUER201894,
      title = {Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection},
      journal = {Computers & Security},
      volume = {79},
      pages = {94-116},
      year = {2018},
      month = nov,
      issn = {0167-4048},
      doi = {https://doi.org/10.1016/j.cose.2018.08.009},
      url = {https://www.sciencedirect.com/science/article/pii/S0167404818306333},
      author = {Landauer, Max and Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe and Filzmoser, Peter},
      publisher = {Elsevier},
    }

12. ERCIM

    synERGY: Detecting Advanced Attacks Across Multiple Layers of Cyber-Physical Systems

    Skopik, Florian,  Wurzenberger, Markus, and Fiedler, Roman

    ERCIM News Jul 2018

    Abs Bib HTML PDF Website

    Today’s security solutions usually address only single architectural layers, and are unable to take account of the full picture. This leads to a system operator having only a limited view regarding the root cause of a cyberattack, which can reduce the overall availability of cyber-physical systems (CPS). Particularly for complex and stealthy multi-stage attacks, an approach is required that correlates information from all CPS layers, including the field area, the SCADA backend, the enterprise IT and the WAN (in the case of large-scale CPS) to promptly react to emerging malicious activities.

    @article{ercimsynergy,
      author = {Skopik, Florian and Wurzenberger, Markus and Fiedler, Roman},
      journal = {ERCIM News},
      title = {synERGY: Detecting Advanced Attacks Across Multiple Layers of Cyber-Physical Systems},
      year = {2018},
      month = jul,
      volume = {114},
      publisher = {ERCIM - The European Research Consortium for Informatics and Mathematics},
      issn = {0926-4981},
    }

13. e&i

    Countering targeted cyber-physical attacks using anomaly detection in self-adaptive Industry 4.0 Systems

    Settanni, Giuseppe, Skopik, Florian,  Wurzenberger, Markus, and Fiedler, Roman

    e & i Elektrotechnik und Informationstechnik May 2018

    Abs Bib Code Website

    This paper presents a novel approach to flexibly control the depth of monitoring applied to CPS-enabled safety-critical infrastructures, to timely detect deviations from the desired operational status, and discusses how the application of anomaly detection (AD) techniques can be further leveraged to automatically adapt the security controls of the infrastructure itself.

    @article{ei2018,
      author = {Settanni, Giuseppe and Skopik, Florian and Wurzenberger, Markus and Fiedler, Roman},
      year = {2018},
      month = may,
      pages = {278--285},
      title = {Countering targeted cyber-physical attacks using anomaly detection in self-adaptive Industry 4.0 Systems},
      volume = {135},
      number = {3},
      journal = {e \& i Elektrotechnik und Informationstechnik},
      doi = {10.1007/s00502-018-0615-6},
      issn = {1613-7620},
      url = {https://doi.org/10.1007/s00502-018-0615-6},
    }

14. ERCIM

    The BÆSE Testbed – Analytic Evaluation of IT Security Tools in Specified Network Environments

    Wurzenberger, Markus, and Florian, Skopik

    ERCIM News Sep 2016

    Abs Bib HTML PDF Website

    Recent years have seen a dramatic increase in damage caused by cyber-criminals. Although there are many IT security tools on the market, there is currently no way to test, compare and evaluate them without actually running them in real systems. The BÆSE testbed offers a solution to challenge and benchmark IT security solutions for dedicated network environments under attack conditions, without putting real systems in danger.

    @article{ercimbaese,
      author = {Wurzenberger, Markus and Florian, Skopik},
      journal = {ERCIM News},
      title = {The BÆSE Testbed – Analytic Evaluation of IT Security Tools in Specified Network Environments},
      year = {2016},
      month = sep,
      volume = {107},
      publisher = {ERCIM - The European Research Consortium for Informatics and Mathematics},
      issn = {0926-4981},
    }

15. IS

    Complex log file synthesis for rapid sandbox-benchmarking of security- and computer network analysis tools

    Wurzenberger, Markus, Skopik, Florian, Settanni, Giuseppe, and Scherrer, Wolfgang

    Information Systems Aug 2016

    Abs Bib HTML PDF Website

    Today Information and Communications Technology (ICT) networks are a dominating component of our daily life. Centralized logging allows keeping track of events occurring in ICT networks. Therefore a central log store is essential for timely detection of problems such as service quality degradations, performance issues or especially security-relevant cyber attacks. There exist various software tools such as security information and event management (SIEM) systems, log analysis tools and anomaly detection systems, which exploit log data to achieve this. While there are many products on the market, based on different approaches, the identification of the most efficient solution for a specific infrastructure, and the optimal configuration is still an unsolved problem. Today׳s general test environments do not sufficiently account for the specific properties of individual infrastructure setups. Thus, tests in these environments are usually not representative. However, testing on the real running productive systems exposes the network infrastructure to dangerous or unstable situations. The solution to this dilemma is the design and implementation of a highly realistic test environment, i.e. sandbox solution, that follows a different – novel – approach. The idea is to generate realistic network event sequence (NES) data that reflects the actual system behavior and which is then used to challenge network analysis software tools with varying configurations safely and realistically offline. In this paper we define a model, based on log line clustering and Markov chain simulation to create this synthetic log data. The presented model requires only a small set of real network data as an input to understand the complex real system behavior. Based on the input׳s characteristics highly realistic customer specified NES data is generated. To prove the applicability of the concept developed in this work, we conclude the paper with an illustrative example of evaluation and test of an existing anomaly detection system by using generated NES data.

    @article{WURZENBERGER201613,
      title = {Complex log file synthesis for rapid sandbox-benchmarking of security- and computer network analysis tools},
      journal = {Information Systems},
      volume = {60},
      pages = {13-33},
      year = {2016},
      month = aug,
      issn = {0306-4379},
      doi = {https://doi.org/10.1016/j.is.2016.02.006},
      url = {https://www.sciencedirect.com/science/article/pii/S030643791530212X},
      author = {Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe and Scherrer, Wolfgang},
      publisher = {Elsevier},
    }

Conference papers

2022

1. SAT-CPS’22

   A Framework for Automatic Labeling of Log Datasets from Model-Driven Testbeds for HIDS Evaluation

   Landauer, Max, Frank, Maximilian, Skopik, Florian, Hotwagner, Wolfgang,  Wurzenberger, Markus, and Rauber, Andreas

   In Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems Apr 2022

   Abs Bib HTML PDF Code Website Data

   Intrusion detection systems are essential for network security. To verify their detection capabilities and facilitate comparison, benchmark log datasets are used to measure evaluation metrics such as accuracy and false alarm rates. Thereby, it is necessary that these datasets come with a correct ground truth that differentiates normal and attacker behavior. While it is relatively straightforward to generate labels for network-based datasets by selecting events according to IP addresses of attacker hosts, system logs do not necessarily involve such identifiers and are possibly only recognizable as malicious by their combined occurrences. Even more problems emerge when log data is collected in model-driven testbeds, i.e., automatically generated networks that simulate differently parameterized attack scenarios in diverse infrastructures. In these testbeds, parameters such as IP addresses are subject to change and thus cannot simply be used for matching. We thus propose a framework that integrates template-based labeling rules for model-driven testbeds. In this paper we describe the syntax for rule templates with different query types specifically designed to match sequential or interrelated system log events. An evaluation of our open-source implementation shows that only 27 rules are necessary to assign 15 labels to 8 system log files containing attack manifestations.

   @inproceedings{10.1145/3510547.3517924,
     author = {Landauer, Max and Frank, Maximilian and Skopik, Florian and Hotwagner, Wolfgang and Wurzenberger, Markus and Rauber, Andreas},
     title = {A Framework for Automatic Labeling of Log Datasets from Model-Driven Testbeds for HIDS Evaluation},
     year = {2022},
     month = apr,
     isbn = {9781450392297},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/3510547.3517924},
     doi = {10.1145/3510547.3517924},
     booktitle = {Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems},
     pages = {77–86},
     numpages = {10},
     location = {Baltimore, MD, USA},
     series = {Sat-CPS '22},
   }

2021

1. ESORICS’21

   Iterative Selection of Categorical Variables for Log Data Anomaly Detection

   Landauer, Max, Höld, Georg,  Wurzenberger, Markus, Skopik, Florian, and Rauber, Andreas

   In Computer Security – ESORICS 2021 Oct 2021

   Abs Bib HTML PDF Code Website

   Log data is a well-known source for anomaly detection in cyber security. Accordingly, a large number of approaches based on self-learning algorithms have been proposed in the past. Most of these approaches focus on numeric features extracted from logs, since these variables are convenient to use with commonly known machine learning techniques. However, system log data frequently involves multiple categorical features that provide further insights into the state of a computer system and thus have the potential to improve detection accuracy. Unfortunately, it is non-trivial to derive useful correlation rules from the vast number of possible values of all available categorical variables. Therefore, we propose the Variable Correlation Detector (VCD) that employs a sequence of selection constraints to efficiently disclose pairs of variables with correlating values. The approach also comprises of an online mode that continuously updates the identified variable correlations to account for system evolution and applies statistical tests on conditional occurrence probabilities for anomaly detection. Our evaluations show that the VCD is well adjustable to fit properties of the data at hand and discloses associated variables with high accuracy. Our experiments with real log data indicate that the VCD is capable of detecting attacks such as scans and brute-force intrusions with higher accuracy than existing detectors.

   @inproceedings{10.1007/978-3-030-88418-5_36,
     author = {Landauer, Max and H{\"o}ld, Georg and Wurzenberger, Markus and Skopik, Florian and Rauber, Andreas},
     editor = {Bertino, Elisa and Shulman, Haya and Waidner, Michael},
     title = {Iterative Selection of Categorical Variables for Log Data Anomaly Detection},
     booktitle = {Computer Security -- ESORICS 2021},
     year = {2021},
     month = oct,
     publisher = {Springer International Publishing},
     address = {Cham},
     pages = {757--777},
     isbn = {978-3-030-88418-5},
     series = {26th European Symposium on Research in Computer Security},
     locationb = {Darmstadt, Germany},
   }

2020

1. QRS’20

   Have It Your Way: Generating Customized Log Data Sets with a Model-driven Simulation Testbed

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

   In 2020 IEEE 20th International Conference on Software Quality, Reliability and Security (QRS) Dec 2020

   Abs PDF Website Data

   Evaluations of intrusion detection systems (IDS) require log data sets collected in realistic system environments. Existing testbeds therefore offer user simulations and attack scenarios that target specific use-cases. However, not only does the preparation of such testbeds require domain knowledge and time-consuming work, but also maintenance and modifications for other use-cases involve high manual efforts and repeated execution of tasks. We therefore propose to generate testbeds for IDS evaluation using strategies from model-driven engineering. In particular, our approach models system infrastructure, simulated normal behavior, and attack scenarios as testbed-independent modules. A transformation engine then automatically generates arbitrary numbers of testbeds, each with a particular set of characteristics and capable of running in parallel. Our approach greatly improves configurability and flexibility of testbeds and allows to reuse components across multiple scenarios. We use our proof-of-concept implementation to generate a labeled data set for IDS evaluation that is published with this paper.

2. ASIACCS’20

   Creating Character-Based Templates for Log Data to Enable Security Event Classification

   Wurzenberger, Markus, Höld, Georg, Landauer, Max, Skopik, Florian, and Kastner, Wolfgang

   In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security Oct 2020

   Abs Bib HTML PDF Code Website

   Log data analysis is an essential task when it comes to understanding a computer’s or a network’s system behavior, and enables security analysis, fault diagnosis, performance analysis, or intrusion detection. An established technique for log analysis is log line clustering, which allows to group similar events and to detect outliers, malicious clusters or changes in system behavior. However, log line clusters usually lack meaningful descriptions that are required to understand the information provided by log lines within a cluster. Template generators allow to produce such descriptions in form of patterns that match all log lines within a cluster and therefore describe the common features of the lines. Current approaches only allow generation of token-based (e.g., space-separated words) templates, which are often inaccurate, because they do not recognize words that can be spelled differently as similar and require further information on the structure and syntax of the data, such as predefined delimiters. Consequently, novel character-based template generators are required that provide robust templates for any type of computer log data, which can be applied in security information and event management (SIEM) solutions, for continuous auditing, quality inspection and control. In this paper, we propose a novel approach for computing character-based templates, which combines comparison-based methods and heuristics. To achieve this goal, we solve the problem of efficiently calculating a multi-line alignment for a group of log lines and compute an accurate approximation of the optimal character-based template, while reducing the runtime from O(n^m) to O(mn^2). We demonstrate the accuracy of our approach in a detailed evaluation, applying a newly introduced measure for accuracy, the Sim-Score, which can be computed independently from a ground truth, and the established F-Score. Furthermore, we assess the robustness of the algorithm and the influence of different log data properties on the quality of the resulting templates.

   @inproceedings{10.1145/3320269.3384722,
     author = {Wurzenberger, Markus and H\"{o}ld, Georg and Landauer, Max and Skopik, Florian and Kastner, Wolfgang},
     title = {Creating Character-Based Templates for Log Data to Enable Security Event Classification},
     year = {2020},
     month = oct,
     isbn = {9781450367509},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/3320269.3384722},
     doi = {10.1145/3320269.3384722},
     booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and Communications Security},
     pages = {141–152},
     numpages = {12},
     keywords = {template generation, log analysis, multi-line alignment, character-based templates},
     location = {Taipei, Taiwan},
     series = {ASIA CCS '20},
   }

3. ICISSP’20

   Visualizing Syscalls using Self-organizing Maps for System Intrusion Detection

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

   In Proceedings of the 6th International Conference on Information Systems Security and Privacy - ICISSP, Feb 2020

   Abs Bib HTML PDF Website

   Monitoring syscall logs provides a detailed view on almost all processes running on a system. Existing approaches therefore analyze sequences of executed syscall types for system behavior modeling and anomaly detection in cyber security. However, failures and attacks that do not manifest themselves as type sequences violations remain undetected. In this paper we therefore propose to incorporate syscall parameter values with the objective of enriching analysis and detection with execution context information. Our approach thereby first selects and encodes syscall log parameters and then visualizes the resulting high-dimensional data using self-organizing maps to enable complex analysis. We thereby display syscall occurrence frequencies and transitions of consecutively executed syscalls. We employ a sliding window approach to detect changes of the system behavior as anomalies in the SOM mappings. In addition, we use SOMs to cluster aggregated syscall data for classification of normal a nd anomalous system behavior states. Finally, we validate our approach on a real syscall data set collected from an Apache web server. Our experiments show that all injected attacks are represented as changes in the SOMs, thus enabling visual or semi-automatic anomaly detection.

   @inproceedings{icissp20,
     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang and Rauber, Andreas},
     title = {Visualizing Syscalls using Self-organizing Maps for System Intrusion Detection},
     booktitle = {Proceedings of the 6th International Conference on Information Systems Security and Privacy - ICISSP,},
     year = {2020},
     month = feb,
     pages = {349-360},
     publisher = {SciTePress},
     organization = {INSTICC},
     doi = {10.5220/0008918703490360},
     isbn = {978-989-758-399-5},
     issn = {2184-4356},
     location = {Valletta, Malta},
     series = {6th International Conference on Information Systems Security and Privacy - ICISSP},
   }

2019

1. CYBERHUNT’19

   A Framework for Cyber Threat Intelligence Extraction from Raw Log Data

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

   In 2019 IEEE International Conference on Big Data (Big Data) Dec 2019

   Abs Bib HTML PDF Website

   Intrusion Detection Systems (IDS) rely on the availability and correctness of Indicators of Compromise (IoC), i.e., artifacts such as IP addresses that are known to correspond to malicious system activities. However, the simple nature and limited validity of these indicators impairs protection against cyber threats. Tactics, Techniques and Procedures (TTP) provide abstract information on attacker behavior, but are only available in human-readable format that prevents automatic detection using IDSs. In this paper we therefore propose an approach that extracts cyber threat intelligence from raw log data and combines the advantages of IoCs and TTPs by producing detectable patterns of complex system behavior. Other than existing approaches, our approach employs log data anomaly detection to disclose suspicious log events, which are used for iterative clustering, pattern recognition, and refinement. Our evaluations show that automatically extracted threat intelligence corresponding to a multi-step attack is suitable for detection of the same attack on another system.

   @inproceedings{9006328,
     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang and Rauber, Andreas},
     booktitle = {2019 IEEE International Conference on Big Data (Big Data)},
     title = {A Framework for Cyber Threat Intelligence Extraction from Raw Log Data},
     year = {2019},
     month = dec,
     pages = {3200-3209},
     doi = {10.1109/BigData47090.2019.9006328},
     organization = {IEEE},
     series = {2019 IEEE International Conference on Big Data (Big Data)},
     location = {Los Angeles, CA, USA},
   }

2. ANNET’19

   AECID-PG: A Tree-Based Log Parser Generator To Enable Log Analysis

   Wurzenberger, Markus, Landauer, Max, Skopik, Florian, and Kastner, Wolfgang

   In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) Apr 2019

   Abs Bib HTML PDF Code Website

   Understanding a computer system’s or network’s behavior is essential for various tasks such as fault diagnosis, intrusion detection or performance analysis. A key source of information describing a system’s current state is log data. However, accessing this information for further analysis is often complicated. Usually, log data is available in form of unstructured text lines and there exists no common standard for the appearance of logs. Hence, log parsers are required to pre-process log lines and structure their information for further analysis. State of the art log parsers still apply pre-defined lists of regular expressions, which are linearly processed and thus render online log analysis infeasible. Furthermore, defining log parsers manually is a cumbersome and time consuming task. Therefore, in this paper we propose AECID-PG, a novel log parser generator. AECID-PG implements a density-based approach to automatically generate a tree-like parser, which reduces the complexity of log parsing from O(n) to O(log(n)). We use real log data to evaluate AECID-PG and compare its parsing capabilities to other parser generator approaches by calculating the F-score. We prove AECID-PG’s broad applicability and finally demonstrate its functionality in a real world setting.

   @inproceedings{8717887,
     author = {Wurzenberger, Markus and Landauer, Max and Skopik, Florian and Kastner, Wolfgang},
     booktitle = {2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)},
     title = {AECID-PG: A Tree-Based Log Parser Generator To Enable Log Analysis},
     year = {2019},
     month = apr,
     organization = {IEEE},
     location = {Washington DC, USA},
     pages = {7-12},
   }

2018

1. ISPEC’18

   Time Series Analysis: Unsupervised Anomaly Detection Beyond Outlier Detection

   Landauer, Max,  Wurzenberger, Markus, Skopik, Florian, Settanni, Giuseppe, and Filzmoser, Peter

   In Information Security Practice and Experience Sep 2018

   Abs Bib HTML PDF Website

   Anomaly detection on log data is an important security mechanism that allows the detection of unknown attacks. Self-learning algorithms capture the behavior of a system over time and are able to identify deviations from the learned normal behavior online. The introduction of clustering techniques enabled outlier detection on log lines independent from their syntax, thereby removing the need for parsers. However, clustering methods only produce static collections of clusters. Therefore, such approaches frequently require a reformation of the clusters in dynamic environments due to changes in technical infrastructure. Moreover, clustering alone is not able to detect anomalies that do not manifest themselves as outliers but rather as log lines with spurious frequencies or incorrect periodicity. In order to overcome these deficiencies, in this paper we introduce a dynamic anomaly detection approach that generates multiple consecutive cluster maps and connects them by deploying cluster evolution techniques. For this, we design a novel clustering model that allows tracking clusters and determining their transitions. We detect anomalous system behavior by applying time-series analysis to relevant metrics computed from the evolving clusters. Finally, we evaluate our solution on an illustrative scenario and validate the achieved quality of the retrieved anomalies with respect to the runtime.

   @inproceedings{10.1007/978-3-319-99807-7_2,
     author = {Landauer, Max and Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe and Filzmoser, Peter},
     editor = {Su, Chunhua and Kikuchi, Hiroaki},
     title = {Time Series Analysis: Unsupervised Anomaly Detection Beyond Outlier Detection},
     booktitle = {Information Security Practice and Experience},
     year = {2018},
     month = sep,
     publisher = {Springer International Publishing},
     address = {Cham},
     pages = {19--36},
     isbn = {978-3-319-99807-7},
     location = {Tokyo, Japan},
     series = {14th International Conference on Information Security Practice and Experience (ISPEC 2018)},
   }

2. ICPS’18

   Protecting cyber physical production systems using anomaly detection to enable self-adaptation

   Settanni, Giuseppe, Skopik, Florian, Karaj, Anjeza,  Wurzenberger, Markus, and Fiedler, Roman

   In 2018 IEEE Industrial Cyber-Physical Systems (ICPS) May 2018

   Abs HTML PDF Code Website

   The industrial world is going through its fourth revolution also known as Industry 4.0. Modern industrial processes leverage advanced IT technologies to increase productivity and often combine multiple system concepts such as Internet of Things (IoT), Cyber Physical Systems (CPS) and Cloud Computing. Cyber Physical Production Systems (CPPS) are key enablers of this revolution. In CPPS, raw materials, machines, and operations are interconnected to form a sophisticated network. Protecting them against advanced cyber-threats is a priority concern for the future implementation of Industry 4.0 applications. Any impairment of such systems can lead, in fact, to catastrophic damages resulting in a substantial financial loss for governments, companies, as well as endanger the safety of the society. The need for high availability and reliability of these systems is therefore the pillar guiding our research. This paper proposes the adoption of anomaly detection as a method to support self-adaptation in CPPS and to ensure flexibility, reliability, and protection of industrial environments against modern cyber threats. An anomaly detection mechanism can be employed to monitor, and learn the normal behavior of an industrial system, and to generate alerts when the observed events indicate abnormal activities. On this concept we base our work, and we demonstrate how timely identifying critical security events can enable, through the self-adaptation (e.g., triggering automatic configuration changes), an efficient protection of the CPPS against advanced threats, and an effective containment of their effects.

3. ICISSP’18

   AECID: A Self-learning Anomaly Detection Approach based on Light-weight Log Parser Models

   Wurzenberger, Markus, Skopik, Florian, Settanni, Giuseppe, and Fiedler, Roman

   In Proceedings of the 4th International Conference on Information Systems Security and Privacy - ICISSP, Jan 2018

   Abs Bib HTML PDF Code Website

   In recent years, new forms of cyber attacks with an unprecedented sophistication level have emerged. Additionally, systems have grown to a size and complexity so that their mode of operation is barely understandable any more, especially for chronically understaffed security teams. The combination of ever increasing exploitation of zero day vulnerabilities, malware auto-generated from tool kits with varying signatures, and the still problematic lack of user awareness is alarming. As a consequence signature-based intrusion detection systems, which look for signatures of known malware or malicious behavior studied in labs, do not seem fit for future challenges. New, flexibly adaptable forms of intrusion detection systems (IDS), which require just minimal maintenance and human intervention, and rather learn themselves what is considered normal in an infrastructure, are a promising means to tackle today’s serious security situation. This paper introduces ÆCID, a new anomaly-based IDS appr oach, that incorporates many features motivated by recent research results, including the automatic classification of events in a network, their correlation, evaluation, and interpretation up to a dynamically-configurable alerting system. Eventually, we foresee ÆCID to be a smart sensor for established SIEM solutions. Parts of ÆCID are open source and already included in Debian Linux and Ubuntu. This paper provides vital information on its basic design, deployment scenarios and application cases to support the research community as well as early adopters of the software package.

   @inproceedings{icissp18,
     author = {Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe and Fiedler, Roman},
     title = {AECID: A Self-learning Anomaly Detection Approach based on Light-weight Log Parser Models},
     booktitle = {Proceedings of the 4th International Conference on Information Systems Security and Privacy - ICISSP,},
     year = {2018},
     month = jan,
     pages = {386-397},
     publisher = {SciTePress},
     organization = {INSTICC},
     doi = {10.5220/0006643003860397},
     isbn = {978-989-758-282-0},
     issn = {2184-4356},
     location = {Funchal, Madeira, Portugal},
     series = {4th International Conference on Information Systems Security and Privacy},
   }

2017

1. ARES’17

   Incremental Clustering for Semi-Supervised Anomaly Detection Applied on Log Data

   Wurzenberger, Markus, Skopik, Florian, Landauer, Max, Greitbauer, Philipp, Fiedler, Roman, and Kastner, Wolfgang

   In Proceedings of the 12th International Conference on Availability, Reliability and Security Aug 2017

   Abs Bib HTML PDF Code Website

   Anomaly detection based on white-listing and self-learning has proven to be a promising approach to detect customized and advanced cyber attacks. Anomaly detection aims at detecting significant deviations from normal system and network behavior. A well-known method to classify anomalous and normal system behavior is clustering of log lines. However, this approach has been applied for forensic purposes only, where log data dumps are investigated retrospectively. In order to make this concept applicable for on-line anomaly detection, i.e., at the time the log lines are produced, some major extensions to existing approaches are required. Especially distance based clustering approaches usually fail building the required large distance matrices and rely on time-consuming recalculations of the cluster-map on every arriving log line. An incremental clustering approach seems suitable to solve this issues. Thus, we introduce a semi-supervised concept for incremental clustering of log data that builds the basis for a novel on-line anomaly detection solution based on log data streams. Its operation is independent from the syntax and semantics of the processed log lines, which makes it generally applicable. We demonstrate that that the introduced anomaly detection approach allows to achieve both a high recall and a high precision while maintaining linear complexity.

   @inproceedings{10.1145/3098954.3098973,
     author = {Wurzenberger, Markus and Skopik, Florian and Landauer, Max and Greitbauer, Philipp and Fiedler, Roman and Kastner, Wolfgang},
     title = {Incremental Clustering for Semi-Supervised Anomaly Detection Applied on Log Data},
     year = {2017},
     month = aug,
     isbn = {9781450352574},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/3098954.3098973},
     doi = {10.1145/3098954.3098973},
     booktitle = {Proceedings of the 12th International Conference on Availability, Reliability and Security},
     articleno = {31},
     numpages = {6},
     keywords = {log line clustering, intrusion detection, anomaly detection},
     location = {Reggio Calabria, Italy},
     series = {ARES '17},
   }

2. CYBCONF’17

   Applying high-performance bioinformatics tools for outlier detection in log data

   Wurzenberger, Markus, Skopik, Florian, Fiedler, Roman, and Kastner, Wolfgang

   In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) Jun 2017

   Abs arXiv Bib HTML PDF Website

   Most of today’s security solutions, such as security information and event management (SIEM) and signature based IDS, require the operator to evaluate potential attack vectors and update detection signatures and rules in a timely manner. However, today’s sophisticated and tailored advanced persistent threats (APT), malware, ransomware and rootkits, can be so complex and diverse, and often use zero day exploits, that a pure signature-based blacklisting approach would not be sufficient to detect them. Therefore, we could observe a major paradigm shift towards anomaly-based detection mechanisms, which try to establish a system behavior baseline – either based on netflow data or system logging data – and report any deviations from this baseline. While these approaches look promising, they usually suffer from scalability issues. As the amount of log data generated during IT operations is exponentially growing, high-performance analysis methods are required that can handle this huge amount of data in real-time. In this paper, we demonstrate how high-performance bioinformatics tools can be applied to tackle this issue. We investigate their application to log data for outlier detection to timely reveal anomalous system behavior that points to cyber attacks. Finally, we assess the detection capability and run-time performance of the proposed approach.

   @inproceedings{7985760,
     author = {Wurzenberger, Markus and Skopik, Florian and Fiedler, Roman and Kastner, Wolfgang},
     booktitle = {2017 3rd IEEE International Conference on Cybernetics (CYBCONF)},
     year = {2017},
     month = jun,
     pages = {1-8},
     doi = {10.1109/CYBConf.2017.7985760},
     organization = {IEEE},
     location = {Exeter, UK},
     series = {3rd IEEE International Conference on Cybernetics (CYBCONF-2017)},
   }

3. CYBCONF’17

   Acquiring Cyber Threat Intelligence through Security Information Correlation

   Settanni, Giuseppe, Shovgenya, Yegor, Skopik, Florian, Graf, Roman,  Wurzenberger, Markus, and Fiedler, Roman

   In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF) Jun 2017

   Abs Bib HTML PDF Website

   Cyber Physical Systems (CPS) operating in modern critical infrastructures (CIs) are increasingly being targeted by highly sophisticated cyber attacks. Threat actors have quickly learned of the value and potential impact of targeting CPS, and numerous tailored multi-stage cyber-physical attack campaigns, such as Advanced Persistent Threats (APTs), have been perpetrated in the last years. They aim at stealthily compromising systems’ operations and cause severe impact on daily business operations such as shutdowns, equipment damage, reputation damage, financial loss, intellectual property theft, and health and safety risks. Protecting CIs against such threats has become as crucial as complicated. Novel distributed detection and reaction methodologies are necessary to effectively uncover these attacks, and timely mitigate their effects. Correlating large amounts of data, collected from a multitude of relevant sources, is fundamental for Security Operation Centers (SOCs) to establish cyber situational awareness, and allow to promptly adopt suitable countermeasures in case of attacks. In our previous work we introduced three methods for security information correlation. In this paper we define metrics and benchmarks to evaluate these correlation methods, we assess their accuracy, and we compare their performance. We finally demonstrate how the presented techniques, implemented within our cyber threat intelligence analysis engine called CAESAIR, can be applied to support incident handling tasks performed by SOCs.

   @inproceedings{7985754,
     author = {Settanni, Giuseppe and Shovgenya, Yegor and Skopik, Florian and Graf, Roman and Wurzenberger, Markus and Fiedler, Roman},
     booktitle = {2017 3rd IEEE International Conference on Cybernetics (CYBCONF)},
     title = {Acquiring Cyber Threat Intelligence through Security Information Correlation},
     year = {2017},
     month = jun,
     pages = {1-7},
     doi = {10.1109/CYBConf.2017.7985754},
     organization = {IEEE},
     location = {Exeter, UK},
     series = {3rd IEEE International Conference on Cybernetics (CYBCONF-2017)},
   }

2016

1. PST’16

   Correlating cyber incident information to establish situational awareness in Critical Infrastructures

   Settanni, Giuseppe, Shovgenya, Yegor, Skopik, Florian, Graf, Roman,  Wurzenberger, Markus, and Fiedler, Roman

   In 2016 14th Annual Conference on Privacy, Security and Trust (PST) Dec 2016

   Abs Bib HTML PDF Website

   Protecting Critical Infrastructures (CIs) against contemporary cyber attacks has become a crucial as well as complex task. Modern attack campaigns, such as Advanced Persistent Threats (APTs), leverage weaknesses in the organization’s business processes and exploit vulnerabilities of several systems to hit their target. Although their life-cycle can last for months, these campaigns typically go undetected until they achieve their goal. They usually aim at performing data exfiltration, cause service disruptions and can also undermine the safety of humans. Novel detection techniques and incident handling approaches are therefore required, to effectively protect CI’s networks and timely react to this type of threats. Correlating large amounts of data, collected from a multitude of relevant sources, is necessary and sometimes required by national authorities to establish cyber situational awareness, and allow to promptly adopt suitable countermeasures in case of an attack. In this paper we propose three novel methods for security information correlation designed to discover relevant insights and support the establishment of cyber situational awareness.

   @inproceedings{7906940,
     author = {Settanni, Giuseppe and Shovgenya, Yegor and Skopik, Florian and Graf, Roman and Wurzenberger, Markus and Fiedler, Roman},
     booktitle = {2016 14th Annual Conference on Privacy, Security and Trust (PST)},
     title = {Correlating cyber incident information to establish situational awareness in Critical Infrastructures},
     year = {2016},
     month = dec,
     pages = {78-81},
     doi = {10.1109/PST.2016.7906940},
     organization = {IEEE},
     location = {Auckland, New Zealand},
     series = {2016 14th Annual Conference on Privacy, Security and Trust (PST)},
   }

2. MIST’16

   Discovering Insider Threats from Log Data with High-Performance Bioinformatics Tools

   Wurzenberger, Markus, Skopik, Florian, Fiedler, Roman, and Kastner, Wolfgang

   In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats Oct 2016

   Abs Bib HTML PDF Website

   Since the number of cyber attacks by insider threats and the damage caused by them has been increasing over the last years, organizations are in need for specific security solutions to counter these threats. To limit the damage caused by insider threats, the timely detection of erratic system behavior and malicious activities is of primary importance. We observed a major paradigm shift towards anomaly-focused detection mechanisms, which try to establish a baseline of system behavior – based on system logging data – and report any deviations from this baseline. While these approaches are promising, they usually have to cope with scalability issues. As the amount of log data generated during IT operations is exponentially growing, high-performance security solutions are required that can handle this huge amount of data in real time. In this paper, we demonstrate how high-performance bioinformatics tools can be leveraged to tackle this issue, and we demonstrate their application to log data for outlier detection, to timely detect anomalous system behavior that points to insider attacks.

   @inproceedings{10.1145/2995959.2995973,
     author = {Wurzenberger, Markus and Skopik, Florian and Fiedler, Roman and Kastner, Wolfgang},
     title = {Discovering Insider Threats from Log Data with High-Performance Bioinformatics Tools},
     year = {2016},
     month = oct,
     isbn = {9781450345712},
     publisher = {Association for Computing Machinery},
     address = {New York, NY, USA},
     url = {https://doi.org/10.1145/2995959.2995973},
     doi = {10.1145/2995959.2995973},
     booktitle = {Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats},
     pages = {109–112},
     numpages = {4},
     location = {Vienna, Austria},
     series = {MIST '16},
   }

2015

1. CYBERSA’15

   Establishing national cyber situational awareness through incident information clustering

   Skopik, Florian,  Wurzenberger, Markus, Settanni, Giuseppe, and Fiedler, Roman

   In 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) Jun 2015

   Abs Bib HTML PDF Website

   The number and type of threats to modern information and communication networks has increased massively in the recent years. Furthermore, the system complexity and interconnectedness has reached a level which makes it impossible to adequately protect networked systems with standard security solutions. There are simply too many unknown vulnerabilities, potential configuration mistakes and therefore enlarged attack surfaces and channels. A promising approach to better secure today’s networked systems is information sharing about threats, vulnerabilities and indicators of compromise across organizations; and, in case something went wrong, to report incidents to national cyber security centers. These measures enable early warning systems, support risk management processes, and increase the overall situational awareness of organizations. Several cyber security directives around the world, such as the EU Network and Information Security Directive and the equivalent NIST Framework, demand specifically national cyber security centers and policies for organizations to report on incidents. However, effective tools to support the operation of such centers are rare. Typically, existing tools have been developed with the single organization as customer in mind. These tools are often not appropriate either for the large amounts of data or for the application use case at all. In this paper, we therefore introduce a novel incident clustering model and a system architecture along with a prototype implementation to establish situational awareness about the security of participating organizations. This is a vital prerequisite to plan further actions towards securing national infrastructure assets.

   @inproceedings{7166126,
     author = {Skopik, Florian and Wurzenberger, Markus and Settanni, Giuseppe and Fiedler, Roman},
     booktitle = {2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)},
     title = {Establishing national cyber situational awareness through incident information clustering},
     year = {2015},
     month = jun,
     pages = {1-8},
     doi = {10.1109/CyberSA.2015.7166126},
     organization = {IEEE},
     location = {London, UK},
     series = {2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)},
   }

2. CYBERSA’15

   Beyond gut instincts: Understanding, rating and comparing self-learning IDSs

   Wurzenberger, Markus, Skopik, Florian, Settanni, Giuseppe, and Fiedler, Roman

   In 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) Jun 2015

   Abs Bib HTML PDF Website

   Today ICT networks are the economy’s vital backbone. While their complexity continuously evolves, sophisticated and targeted cyber attacks such as Advanced Persistent Threats (APTs) become increasingly fatal for organizations. Numerous highly developed Intrusion Detection Systems (IDSs) promise to detect certain characteristics of APTs, but no mechanism which allows to rate, compare and evaluate them with respect to specific customer infrastructures is currently available. In this paper, we present BAESE, a system which enables vendor independent and objective rating and comparison of IDSs based on small sets of customer network data.

   @inproceedings{7166117,
     author = {Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe and Fiedler, Roman},
     booktitle = {2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)},
     title = {Beyond gut instincts: Understanding, rating and comparing self-learning IDSs},
     year = {2015},
     month = jun,
     pages = {1-1},
     doi = {10.1109/CyberSA.2015.7166117},
     organization = {IEEE},
     location = {London, UK},
     series = {2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)},
   }

Preprints

1. Deep Survey

   Deep Learning for Anomaly Detection in Log Data: A Survey

   Landauer, Max, Onder, Sebastian, Skopik, Florian, and Wurzenberger, Markus

   2022

   Abs arXiv Bib PDF

   Automatic log file analysis enables early detection of relevant incidents such as system failures. In particular, self-learning anomaly detection techniques capture patterns in log data and subsequently report unexpected log event occurrences to system operators without the need to provide or manually model anomalous scenarios in advance. Recently, an increasing number of approaches leveraging deep learning neural networks for this purpose have been presented. These approaches have demonstrated superior detection performance in comparison to conventional machine learning techniques and simultaneously resolve issues with unstable data formats. However, there exist many different architectures for deep learning and it is non-trivial to encode raw and unstructured log data to be analyzed by neural networks. We therefore carry out a systematic literature review that provides an overview of deployed models, data pre-processing mechanisms, anomaly detection techniques, and evaluations. The survey does not quantitatively compare existing approaches but instead aims to help readers understand relevant aspects of different model architectures and emphasizes open issues for future work.

     doi = {10.48550/ARXIV.2207.03820},
     author = {Landauer, Max and Onder, Sebastian and Skopik, Florian and Wurzenberger, Markus},
     keywords = {Machine Learning (cs.LG), FOS: Computer and information sciences, FOS: Computer and information sciences},
     title = {Deep Learning for Anomaly Detection in Log Data: A Survey},
     publisher = {arXiv},
     year = {2022},
     copyright = {Creative Commons Attribution Non Commercial Share Alike 4.0 International},
   }

2. Maintainable LDS

   Maintainable Log Datasets for Evaluation of Intrusion Detection Systems

   Landauer, Max, Skopik, Florian, Frank, Maximilian, Hotwagner, Wolfgang,  Wurzenberger, Markus, and Rauber, Andreas

   2022

   Abs arXiv Bib PDF

   Intrusion detection systems (IDS) monitor system logs and network traffic to recognize malicious activities in computer networks. Evaluating and comparing IDSs with respect to their detection accuracies is thereby essential for their selection in specific use-cases. Despite a great need, hardly any labeled intrusion detection datasets are publicly available. As a consequence, evaluations are often carried out on datasets from real infrastructures, where analysts cannot control system parameters or generate a reliable ground truth, or private datasets that prevent reproducibility of results. As a solution, we present a collection of maintainable log datasets collected in a testbed representing a small enterprise. Thereby, we employ extensive state machines to simulate normal user behavior and inject a multi-step attack. For scalable testbed deployment, we use concepts from model-driven engineering that enable automatic generation and labeling of an arbitrary number of datasets that comprise repetitions of attack executions with variations of parameters. In total, we provide 8 datasets containing 20 distinct types of log files, of which we label 8 files for 10 unique attack steps. We publish the labeled log datasets and code for testbed setup and simulation online as open-source to enable others to reproduce and extend our results.

     doi = {10.48550/ARXIV.2203.08580},
     author = {Landauer, Max and Skopik, Florian and Frank, Maximilian and Hotwagner, Wolfgang and Wurzenberger, Markus and Rauber, Andreas},
     keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},
     title = {Maintainable Log Datasets for Evaluation of Intrusion Detection Systems},
     publisher = {arXiv},
     year = {2022},
     copyright = {Creative Commons Attribution Non Commercial Share Alike 4.0 International},
   }

Books

1. Smart Log Data Analytics: Techniques for Advanced Security Analysis

   Skopik, Florian,  Wurzenberger, Markus, and Landauer, Max

   2021

   Abs Bib Code Website Data

   This book provides insights into smart ways of computer log data analysis, with the goal of spotting adversarial actions. It is organized into 3 major parts with a total of 8 chapters that include a detailed view on existing solutions, as well as novel machine learning techniques that go far beyond state of the art. The first part of this book motivates the entire topic and highlights major challenges, trends and design criteria for log data analysis approaches, and further surveys and compares the state of the art. The second part of this book introduces concepts that apply character-based, rather than token-based, approaches and thus work on a more fine-grained level. Furthermore, these solutions were designed for “online use”, not only forensic analysis, but also process new log lines as they arrive in an efficient single pass manner. An advanced method for time series analysis aims at detecting changes in the overall behavior profile of an observed system and spotting trends and periodicities through log analysis. The third part of this book introduces the design of the AMiner, which is an advanced open source component for log data anomaly mining. The AMiner comes with several detectors to spot new events, new parameters, new correlations, new values and unknown value combinations and can run as stand-alone solution or as sensor with connection to a SIEM solution. More advanced detectors help to determine the characteristics of variable parts of log lines, specifically the properties of numerical and categorical fields. Detailed examples throughout this book allow the reader to better understand and apply the introduced techniques with open source software. Step-by-step instructions help to get familiar with the concepts and to better comprehend their inner mechanisms. A log test data set is available as free download and enables the reader to get the system up and running in no time. This book is designed for researchers working in the field of cyber security, and specifically system monitoring, anomaly detection and intrusion detection. The content of this book will be particularly useful for advanced-level students studying computer science, computer technology, and information systems. Forward-thinking practitioners, who would benefit from becoming familiar with the advanced anomaly detection methods, will also be interested in this book.

   @book{skopik2021smart,
     title = {Smart Log Data Analytics: Techniques for Advanced Security Analysis},
     author = {Skopik, Florian and Wurzenberger, Markus and Landauer, Max},
     year = {2021},
     publisher = {Springer International Publishing},
     doi = {10.1007/978-3-030-74450-2},
     isbn = {978-3-030-74449-6},
     url = {https://doi.org/10.1007/978-3-030-74450-2},
   }

Book chapters

1. Automatic Attack Pattern Mining for Generating Actionable CTI Applying Alert Aggregation

   Wurzenberger, Markus, Landauer, Max, Bajraktari, Agron, and Skopik, Florian

   Apr 2022

   Abs Bib HTML PDF Code Website Data

   Intrusion Detection Systems (IDSs) monitor all kinds of IT infrastructures to automatically detect malicious activities related to cyber attacks. Unfortunately, especially anomaly-based IDS are known to produce large numbers of alerts, including false positives, that often become overwhelming for manual analysis. However, due to a fast changing threat landscape, quickly evolving attack techniques, and ever growing number of vulnerabilities, novel anomaly detection systems that enable detection of unknown attacks are indispensable. Therefore, to reduce the number of alerts that have to be reviewed by security analysts, aggregation methods have been developed for filtering, grouping, and correlating alerts. Yet, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF that includes IP addresses. This makes the application of existing aggregation methods infeasible for alerts from host-based or anomaly-based IDSs that frequently lack such network-related data. In this chapter, we present a domain-independent alert aggregation technique that enables automatic attack pattern mining and generation of actionable CTI. The chapter describes the concept of the proposed alert aggregation process as well as a dashboard that enables visualization and filtering of the results. Finally, the chapter demonstrates all features in course of an application example.

   @inbook{Wurzenberger2022,
     author = {Wurzenberger, Markus and Landauer, Max and Bajraktari, Agron and Skopik, Florian},
     editor = {Ko{\l}odziej, Joanna and Repetto, Matteo and Duzha, Armend},
     title = {Automatic Attack Pattern Mining for Generating Actionable CTI Applying Alert Aggregation},
     booktitle = {Cybersecurity of Digital Service Chains: Challenges, Methodologies, and Tools},
     year = {2022},
     month = apr,
     publisher = {Springer International Publishing},
     address = {Cham},
     pages = {136--161},
     isbn = {978-3-031-04036-8},
     doi = {10.1007/978-3-031-04036-8_7},
     url = {https://doi.org/10.1007/978-3-031-04036-8_7},
   }

2. Detecting Unknown Cyber Security Attacks Through System Behavior Analysis

   Skopik, Florian,  Wurzenberger, Markus, and Landauer, Max

   Apr 2022

   Abs Bib HTML PDF Code Website

   For many years signature-based intrusion detection has been applied to discover known malware and attack vectors. However, with the advent of malware toolboxes, obfuscation techniques and the rapid discovery of new vulnerabilities, novel approaches for intrusion detection are required. System behavior analysis is a cornerstone to recognizing adversarial actions on endpoints in computer networks that are not known in advance. Logs are incrementally produced textual data that reflect events and their impact on technical systems. Their efficient analysis is key for operational cyber security. We investigate approaches beyond applying simple regular expressions, and provide insights into novel machine learning mechanisms for parsing and analyzing log data for online anomaly detection. The AMiner is an open source implementation of a pipeline that implements many machine learning algorithms that are feasible for deeper analysis of system behavior, recognizing deviations from learned models and thus spotting a wide variety of even unknown attacks.

   @inbook{Skopik2022,
     author = {Skopik, Florian and Wurzenberger, Markus and Landauer, Max},
     editor = {Ko{\l}odziej, Joanna and Repetto, Matteo and Duzha, Armend},
     title = {Detecting Unknown Cyber Security Attacks Through System Behavior Analysis},
     booktitle = {Cybersecurity of Digital Service Chains: Challenges, Methodologies, and Tools},
     year = {2022},
     month = apr,
     publisher = {Springer International Publishing},
     address = {Cham},
     pages = {103--119},
     isbn = {978-3-031-04036-8},
     doi = {10.1007/978-3-031-04036-8_5},
     url = {https://doi.org/10.1007/978-3-031-04036-8_5},
   }

3. Big Data for Cybersecurity

   Wurzenberger, Markus, Skopik, Florian, and Settanni, Giuseppe

   Apr 2018

   Bib Website

   @inbook{Wurzenberger2018,
     author = {Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe},
     editor = {Sakr, Sherif and Zomaya, Albert},
     title = {Big Data for Cybersecurity},
     booktitle = {Encyclopedia of Big Data Technologies},
     year = {2018},
     publisher = {Springer International Publishing},
     isbn = {978-3-319-63962-8},
     doi = {10.1007/978-3-319-63962-8_163-1},
     url = {https://doi.org/10.1007/978-3-319-63962-8_163-1},
   }

4. From Monitoring, Logging, and Network Analysis to Threat Intelligence Extraction

   Friedberg, Ivo,  Wurzenberger, Markus, Balushi, Abdullah, and Kang, BooJoong

   Apr 2017

   Abs Bib Website

   This chapter provides an introduction into the concepts of information sharing, and introduces different sources of information that are currently used to identify cybersecurity incidents on a system or corporate level. It highlights their benefits and shortcomings and describes the common setup of monitoring infrastructures. The chapter also provides details about analysis methods that combine information from multiple sources in different ways to derive higher-level alerts. These concepts include signature-based approaches, anomaly detection, stateful analysis, and ontologies. As cyber threat intelligence is shared in the form of indicators or threat intelligence reports, asset management is vital for an organization to filter information streams. Effective use of this information requires efficient asset management processes be in place to identify the potentially vulnerable components in the managed network. Centralized logging makes log management much easier and simplifies the correlation of information collected at different locations of a network.

   @inbook{friedberg2017monitoring,
     author = {Friedberg, Ivo and Wurzenberger, Markus and Balushi, Abdullah and Kang, BooJoong},
     editor = {Skopik, Florian},
     title = {From Monitoring, Logging, and Network Analysis to Threat Intelligence Extraction},
     booktitle = { Collaborative Cyber Threat Intelligence: Detecting and Responding to Advanced Cyber Attacks at the National Level},
     year = {2017},
     publisher = {Taylor \& Francis, CRC Press},
     isbn = {9781315397900},
     doi = {10.4324/9781315397900-3},
     url = {https://doi.org/10.4324/9781315397900-3},
   }

Data sets

1. AIT NDS

   AIT Netflow Data Set

   Soro, Francesca, Landauer, Max, Skopik, Florian, Hotwagner, Wolfgang, and Wurzenberger, Markus

   Jun 2022

   Bib Website Data

     author = {Soro, Francesca and Landauer, Max and Skopik, Florian and Hotwagner, Wolfgang and Wurzenberger, Markus},
     title = {AIT Netflow Data Set},
     month = jun,
     year = {2022},
     note = {{M. Landauer, F. Skopik, M. Frank, W. Hotwagner, M. Wurzenberger, and A. Rauber. "Maintainable Log Datasets for Evaluation of Intrusion Detection Systems". arXiv:2203.08580}},
     publisher = {Zenodo},
     doi = {10.5281/zenodo.6610489},
     url = {https://doi.org/10.5281/zenodo.6610489},
   }

2. AIT LDS V2.0

   AIT Log Data Set V2.0

   Landauer, Max, Skopik, Florian, Frank, Maximilian, Hotwagner, Wolfgang,  Wurzenberger, Markus, and Rauber, Andreas

   Feb 2022

   Bib Website Data

     author = {Landauer, Max and Skopik, Florian and Frank, Maximilian and Hotwagner, Wolfgang and Wurzenberger, Markus and Rauber, Andreas},
     title = {AIT Log Data Set V2.0},
     month = feb,
     year = {2022},
     note = {{M. Landauer, F. Skopik, M. Frank, W. Hotwagner, M. Wurzenberger, and A. Rauber. "Maintainable Log Datasets for Evaluation of Intrusion Detection Systems". arXiv:2203.08580}},
     publisher = {Zenodo},
     version = {v2\_0},
     doi = {10.5281/zenodo.5789064},
     url = {https://doi.org/10.5281/zenodo.5789064},
   }

3. KYOUSHI LDS

   Kyoushi Log Data Set

   Landauer, Max, Frank, Maximilian, Skopik, Florian, Hotwagner, Wolfgang,  Wurzenberger, Markus, and Rauber, Andreas

   Dec 2021

   Bib Website Data

     author = {Landauer, Max and Frank, Maximilian and Skopik, Florian and Hotwagner, Wolfgang and Wurzenberger, Markus and Rauber, Andreas},
     title = {Kyoushi Log Data Set},
     month = dec,
     year = {2021},
     note = {{M. Landauer, F. Skopik, M. Wurzenberger, W. Hotwagner and A. Rauber, "Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed," in IEEE Transactions on Reliability, vol. 70, no. 1, pp. 402-415, March 2021, doi: 10.1109/TR.2020.3031317.}},
     publisher = {Zenodo},
     doi = {10.5281/zenodo.5779411},
     url = {https://doi.org/10.5281/zenodo.5779411},
   }

4. AIT LDS V1.1

   AIT Log Data Set V1.1

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

   Nov 2020

   Bib Website Data

     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang and Rauber, Andreas},
     title = {AIT Log Data Set V1.1},
     month = nov,
     year = {2020},
     note = {{M. Landauer, F. Skopik, M. Wurzenberger, W. Hotwagner and A. Rauber, "Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed," in IEEE Transactions on Reliability, vol. 70, no. 1, pp. 402-415, March 2021, doi: 10.1109/TR.2020.3031317.}},
     publisher = {Zenodo},
     version = {v1\_1},
     doi = {10.5281/zenodo.4264796},
     url = {https://doi.org/10.5281/zenodo.4264796},
   }

5. AIT LDS V1.0

   AIT Log Data Set V1.0

   Landauer, Max, Skopik, Florian,  Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

   Mar 2020

   Bib Website Data

     author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang and Rauber, Andreas},
     title = {AIT Log Data Set V1.0},
     month = mar,
     year = {2020},
     note = {{M. Landauer, F. Skopik, M. Wurzenberger, W. Hotwagner and A. Rauber, "Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed," in IEEE Transactions on Reliability, vol. 70, no. 1, pp. 402-415, March 2021, doi: 10.1109/TR.2020.3031317.}},
     publisher = {Zenodo},
     version = {v1\_0},
     doi = {10.5281/zenodo.3723083},
     url = {https://doi.org/10.5281/zenodo.3723083},
   }

Keynotes and invited talks

1. ViSP

   Cyber Security Research Program at AIT: Overview and Insights

   Skopik, Florian, and Wurzenberger, Markus

   at ViSP System Security Research Meetup, Vienna, Austria, December 10, 2021

   Website
2. DEEPSEC’21

   Don’t get hacked, get AMiner! Log Data Analysis for Intrusion Detection

   Skopik, Florian,  Wurzenberger, Markus, and Max, Landauer

   at In-Depth Security Conference Europe (DeepSec) 2021, Vienna, Austria, November 18-19, 2021

   Slides Website
3. BSIDES’19

   AECID: A self-learning Anomaly Detection Approach Based on Light-weight Log Analytics

   Landauer, Max, and Wurzenberger, Markus

   at BSides Vienna 2019, Vienna, Austria, November 30, 2019

   Slides Website
4. ESDC’19

   Applying Machine Learning for System Log Data Analysis

   Wurzenberger, Markus, and Max, Landauer

   at European Security and Defence College (ESDC), Infrastructures in the Context of Digitization Course - ICD (2019-2020/254/1), Vienna, Austria, October 16-18, 2019

   Bib Website

   @misc{IKTSicherheit2019,
     author = {Wurzenberger, Markus and Max, Landauer},
     title = {Applying Machine Learning for System Log Data Analysis},
     year = {at European Security and Defence College (ESDC), Infrastructures in the Context of Digitization Course - ICD (2019-2020/254/1), Vienna, Austria, October 16-18, 2019},
   }

5. IKTSicherheit’19

   Don’t get hacked, get AMiner! Log Data Analysis for Intrusion Detection

   Skopik, Florian,  Wurzenberger, Markus, and Max, Landauer

   at IKT Sicherheitskonferenz 2019, Fürstenfeld, Austria, October 01-02, 2019

   Slides Website

Panels

1. EBDVF’18

   How Can AI Improve Cyber Situational Awareness? (panel participant)

   Wurzenberger, Markus

   In European Big Data Value Forum Nov 2018

   Bib Website

   @inproceedings{ebdvf2018,
     author = {Wurzenberger, Markus},
     title = {How Can AI Improve Cyber Situational Awareness? (panel participant)},
     year = {2018},
     month = nov,
     location = {Vienna, Austria},
     booktitle = {European Big Data Value Forum},
   }

Programm committee memberships

• IWoSeMC-22@CCGrid 2022 3^rd International Workshop on Secure Mobile Cloud Computing (colocated The 22^nd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing); May 16-May 19, 2022; Taormina (Messina), Italy.
• NG-SCO 2021@ARES 2021 3^rd International Workshop on Next Generation Security Operations Centers (NG-SOC 2021) (colocated with The 16^th International Conference on Availability, Reliability and Security); August 17-August 20, 2021; virtual conference.
• IWoSeMC-21@CCGrid 2021 2^nd International Workshop on Secure Mobile Cloud Computing (colocated with The 21^st IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing); May 10-May 13, 2021; Melbourne, Victoria, Australia (virtual conference).
• SecSoft@NetSoft 2020; 2^nd International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures (colocated with The 6^th IEEE International Conference on Network Softwarization); June 29-July 3, 2020; Ghent, Belgium (virtual conference).

Patents

1. AlertAggr_EP

   Verfahren zur Klassifizierung von anomalen Betriebszuständen eines Computernetzwerks ("AlertAggregation EP")

   Landauer, Max, Skopik, Florian, and Wurzenberger, Markus

   EP21197043.9, European Patent pending, September 2021
2. VCD_EP

   Verfahren zur Detektion von anomalen Betriebszuständen eines Computersystems ("Variable Correlation Detector EP")

   Höld, Georg, Landauer, Max,  Wurzenberger, Markus, and Skopik, Florian

   EP21191583.0, European Patent pending, August 2021
3. VTD_EP

   Verfahren zur Detektion von anomalen Betriebszuständen eines Computersystems ("Variable Type Detector EP")

   Höld, Georg,  Wurzenberger, Markus, Landauer, Max, and Skopik, Florian

   EP21181569.1, European Patent pending, June 2021
4. AlertAggr_AT

   Verfahren zur Klassifizierung von anomalen Betriebszuständen eines Computernetzwerks ("AlertAggregation AT")

   Höld, Georg,  Wurzenberger, Markus, Landauer, Max, and Skopik, Florian

   AT 523933 (A51010/2020), Austrian Patent granted, November 2020

   HTML PDF
5. VCD_AT

   Verfahren zur Detektion von anomalen Betriebszuständen eines Computersystems ("Variable Correlation Detector AT")

   Höld, Georg, Landauer, Max,  Wurzenberger, Markus, and Skopik, Florian

   AT 523948 (A50741/2020), Austrian Patent granted, September 2020

   HTML PDF
6. VCD_AT

   Verfahren zur Detektion von anomalen Betriebszuständen eines Computersystems ("Variable Correlation Detector AT")

   Höld, Georg, Landauer, Max,  Wurzenberger, Markus, and Skopik, Florian

   AT 523948 (A50741/2020), Austrian Patent granted, September 2020

   HTML PDF
7. VTD_AT

   Verfahren zur Detektion von anomalen Betriebszuständen eines Computersystems ("Variable Type Detector AT")

   Höld, Georg,  Wurzenberger, Markus, Landauer, Max, and Skopik, Florian

   AT 523829 (A50642/2020), Austrian Patent granted, July 2020

   HTML PDF
8. ClusterTemp_AT

   Verfahren zur Charakterisierung des Betriebszustands eines Computersystems ("Cluster Templates EP")

   Wurzenberger, Markus, Höld, Georg, Landauer, Max, and Skopik, Florian

   EP20160854.4, European Patent pending, March 2020
9. ParserGen_EP

   Verfahren zur Charakterisierung des Zustands eines Computersystems ("Grammatikerkennung EP")

   Wurzenberger, Markus, Landauer, Max, Fiedler, Roman, and Skopik, Florian

   EP3582443, European Patent granted, April 2019

   HTML PDF
10. ClusterTemp_AT

    Verfahren zur Charakterisierung des Betriebszustands eines Computersystems ("Cluster Templates AT")

    Wurzenberger, Markus, Höld, Georg, Landauer, Max, and Skopik, Florian

    A50285/2019, Austrian Patent pending, April 2019
11. TimeSeries_EP

    Method for recognizing abnormal operational states ("Time Series Analysis EP")

    Landauer, Max, Skopik, Florian, and Wurzenberger, Markus

    EP3528162, European Patent granted, January 2019

    HTML PDF
12. ParserGen_AT

    Verfahren zur Charakterisierung des Zustands eines Computersystems ("Grammatikerkennung AT")

    Wurzenberger, Markus, Landauer, Max, Fiedler, Roman, and Skopik, Florian

    AT 521665 (A50461/2018), Austrian Patent granted, June 2018

    HTML PDF
13. PredictMaint_EP

    Method for detecting normal operating states in a working process ("Maschinendatensaetze EP")

    Wurzenberger, Markus, and Skopik, Florian

    EP3396477, European Patent pending, March 2018

    HTML PDF
14. TimeSeries_AT

    Verfahren zur Erkennung von anormalen Betriebszuständen (engl.: Method for detecting anormal operating states) ("Time Series Analysis AT")

    Landauer, Max, Skopik, Florian, and Wurzenberger, Markus

    AT 520746 (A50156/2018), Austrian Patent granted, February 2018

    HTML PDF
15. BioClustering_EP

    Method for detecting anomolous states in a computer network ("Bioclustering EP")

    Fiedler, Roman, Skopik, Florian, and Wurzenberger, Markus

    EP3267625, European Patent granted, July 2017

    HTML PDF
16. PredictMaint_AT

    Verfahren zur Erkennung des normalen Betriebszustands eines Arbeitsprozesses (engl.: Method for detecting normal operating states in a working process) ("Maschinendatensaetze AT")

    Wurzenberger, Markus, and Skopik, Florian

    AT 519777 (A50233/2017), Austrian Patent granted, March 2017

    HTML PDF
17. BioClustering_AT

    Verfahren zur Detektion von anomalen Zuständen in einem Computernetzwerk (engl.: Method for detecting anomolous states in a computer network) ("Bioclustering AT")

    Fiedler, Roman, Skopik, Florian, and Wurzenberger, Markus

    AT 518805 (A50601/2016), Austrian Patent granted, March 2017

    HTML PDF