Anomaly Detection

Contacts: Aubrey-Derrick Schmidt, Seyit Ahmet Camtepe


Personalized attacks and malwares are a prevalent threat to today‚Äôs computer systems.  Signature-based approaches, as known from anti-virus software and misuse-based Intrusion Detection Systems (IDS), can counter known attacks and malwares efficiently through checking for known patterns. This keeps false-positive-rate and detection misses on known threats very low. While working well on known threats, these systems have problems with unknown attacks that can even be unknown old malwares or 0-day attacks. For countering these unknown threats, Intrusion Detection Systems basing on Anomaly detection were developed. These systems mostly use machine learning-based approaches that are able to learn the normal behavior of a system. Whenever something abnormal happens, alerts are generated. Current anomaly-based systems still suffer several challenges that need to be addressed in research.

One major problem is the amount of false-positives generated. Since the human perception of normality might even be defined as a set of events that take place within decades or life-time, rare events will typically lead to an indication being abnormal in an anomaly-based detection system. This is done since these systems require a learning phase teaching them normality. The shorter this time is the more probable false-positives basing on rare events get. Another problem is the fact that most things change over time meaning every anomaly-based system needs to include mechanisms allowing them to relearn basing on current normality. However, whenever the system learns, it is vulnerable to learning malicious activity being normal. Another important issue is the amount of data such systems have to handle. Handling mass data can even be seen as a separate research direction inheriting several unsolved problems that need to be addressed.

The Competence Center Security of the DAI-Laboratory conducts research on anomaly-based detection approaches and systems within the domains of mobile security and ambient assistant living. In both domains, comprehensive approaches are continuously advanced leading to more and more reliable systems.