Dominic Windisch

Automating Human Workflow in Ids Analysis Dominic Windisch

Revision with unchanged content. Nowadays Intrusion Detection Systems (IDS) are still relying on human analysts, fulfilling the task of attack detection. The alarm overload produced by said systems requires a relief of the analyst's daily workload. After an introduction to network security, the book presents an approach based on finite state machines (FSM), showing that human analysis behavior can be modeled directly from IDS log data. The specific alarm data alone revealed lacking information needed for the chosen Text Classification approach to create an operational decision model for the FSM. Further research is necessary. Rationales and suggestions to solve the problems are discussed. This work was written as Diploma Thesis at the Department of Informatics, University of Zurich in collaboration with Swisscom Innovations Inc, Bern, where this is also a spearhead of ongoing and future research in the area of traffic to protocol state machine reverse engineering.