Along with the rapid development and extension of IT-Technology, computer and network attacks as well as their countermeasures become more and more complicated. Intrusion detection systems (IDS) have been commonly used in practice for identifying malicious behaviors against protected hosts or network environments. Growing networks and traffic increase the number of detected events heavily. Technical-supported automated analysis becomes necessary for handling the huge amounts of data. High-end hardware provides new possibilities for advanced analysis techniques using a multi-core architecture and In-Memory storage approaches. Furthermore, new attack modeling techniques enable the analysis of weaknesses caused by a combination of multiple vulnerabilities and attack steps. Security Analytics combines modern attack modeling techniques with advanced detection and correlation methods using high-end hardware with up to 2 TB of main memory and multi-core architecures. 

Correlation of Alerts

Research Topics

Correlation and Pattern Matching - IDS Sensors and Log Gatherers create a large number of security related events which may be caused by serious attacks on the network. This stream of events needs to be analyzed and refined by technical means, as manual processing is far to complex and time consuming. Correlation and pattern matching can be used to infer from related events that specific attack scenarios have been carried out on the protected network.

Attack Graph Workflow - Gathering information, constructing an Attack Graph, as well as visualizing and analyzing the graph are the three steps of the workflow. Improving the different phases of the workflow as well as combining the workflow with IDS is a research topic at HPI.

IDS Management - Efficient Intrusion Detection System Management (IDSM) is an important capability for distributed IDS solutions, which makes it possible to integrate and handle different types of sensors or collect and synthesize alerts generated from multiple hosts in a distributed environment. Improving the efficiency of IDS Management is a research goal at HPI.

Virtualization and IDS - The concept of virtualization has been introduced into many popular IDS implementations, due to the advantage on isolation and fast recovery in case of being compromised as well as its applicability in emerging concepts, such as Cloud Computing. Advancing the capabilities for combining these newly emerged Virtual Machine (VM) based IDS approaches is another research topic at HPI.

IDS in the Cloud - The concept of Cloud computing yields multiple unsovled security problems. Securing a Cloud infrastrcuture using IDS Sensors and management is one of the research topics focused in this project.

Visualization and Collaboration - Visualizing the correlation results and the security-relevant events in general is essential for an effective defense of sophisticated attacks. Visualizating results and collaboration in security operations is a focus in this research project.

Selection of Relevant Publications

    • F. Cheng, A. Azodi, D. Jaeger, Ch. Meinel
      Multi-Core Supported High Performance Security Analytics,
      Proc. of the 13th IEEE International Conference on Scalable Computing and Communication (ScalCom'13), Chengdu, China, December 20-22, 2013 (to appear)
    • A. Azodi, D. Jaeger, F. Cheng, Ch. Meinel
      A New Approach to Building a Multi-Tier Direct Access Knowledgebase For IDS/SIEM Systems,
      Proc. of the 11th IEEE InternationalConference on Dependable, Autonomic and Secure Computing (DASC'13), Chengdu, China, December 20-22, 2013 (to appear)
    • F. Cheng, A. Azodi, D. Jaeger, Ch. Meinel
      Security Event Correlation Supported by Multi-Core Architecture,
      Proc. of the 3rd IEEE  International Conference on IT Convergence and Security (ICITS'13), Macau, China, December16-18, 2013 (to appear)
    • A. Sapegin, D. Jaeger, A. Azodi, M. Gawron, F. Cheng, Ch. Meinel
      Hierarchical Object Log Format for Normalisation of Security Events,
      Proc. of the 9th International Conference on Information Assurance and Security (IAS'13), Tunis, Tunisia, December 04-06, 2013 (to appear) 
    • S. Roschke, F. Cheng, Ch. Meinel
      BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes
      Proc. 12th IFIP/IEEE IM'11, IEEE Press, Dublin, Ireland, 2011.
    • S. Roschke, F. Cheng, Ch. Meinel
      Using Vulnerability Information and Attack Graphs for Intrusion Detection
      Proc. 6th IAS'10, IEEE Press, Atlanta, United States, 2010, pp. 104-109.
    • S. Roschke, F. Cheng, Ch. Meinel
      Intrusion Detection in the Cloud
      Proc. Workshop SCC'09 (in conjunction with 8th PICom), IEEE Press, Chengdu, China, December, 2009.
    • F. Cheng, S. Roschke, Ch. Meinel 
      Implementing IDS Management on Lock-Keeper 
      Proc. 4th ISPEC'09, Springer LNCS 5451, Xi'an (China), 2009, pp. 360-371.






  • Prof. Dr. Christoph Meinel
  • Dr. rer. nat. Feng Cheng
  • David Jaeger, MSc.
  • Andrey Sapegin
  • Marian Gawron, MSc.
  • Dr. Sebastian Roschke (till Oct. 2012)
  • Amir Azodi, MSc. (till Nov. 2015)
  • Richard Meissner - MSc. Student (till Jul. 2013)
  • Seraj Fayyad, MSc. (till Sept. 2012)
  • Bjoern Groneberg - Student (till Sept. 2011)
  • Martin Kreichgauer - Student (Masterprojekt)
  • Michael Frister - Student (Masterprojekt)
  • Florian Thomas - Student (Masterprojekt)
  • Felix Leupold - Student (till Oct. 2010)

Other Links

... to our Research
              Security Engineering - Learning & Knowledge Tech - Design Thinking - former
... to our Teaching
              Tele-Lectures - MOOCs - Labs - Systems 
... to our Publications
              Books - Journals - Conference-Papers - Patents
... and to our Annual Reports.