monk-it – Efficient distributed monitoring, attack detection, and event correlation


The number, rate, and quality of attacks is steadily increasing with the enormous growth of the Internet, its concurrent users and services. The best-known examples are viruses and worms, which are reaching alarming scales. The Federal Office for Information Security (BSI) identified these threats and initiated the development of a national early warning system for Germany. This system should be able to detect and analyze attacks and to initiate adequate response measures. In general, such an early warning system has high demands on its timeliness and flexibility while it must be able to handle increasing amounts of data.
The monk-it project aims to develop, to implement, and to integrate two main building blocks for the described early warning system: an efficient network monitoring system working in a distributed environment for subsequent attack detection and event correlation techniques at higher layers. Passive network monitoring is a challenging task in current multi-gigabit networks. In the scope of this project, novel algorithms are investigated for the load-dependent re-configuration of distributed monitoring stations. Additionally, selected attack detection mechanisms, so named pre-processors, are moved directly into the monitoring task in order to reduce the amount of monitoring data to be analyzed at a central detection system. The final goal is to develop an „intelligent“ self-organizing monitoring environment, which supports and simplifies further attack analysis.
Independently of the detection of singular attacks, the visibility of such attacks can be limited in the overall network. Event correlation techniques aim at producing more informative conclusions based on non-correlated single measures. This basically helps to detect distributed attacks and to enforce adequate countermeasures.
Altogether, both modules represent powerful parts of the envisioned early warning system. In order to simplify the use and the integration, standardized formats and protocols will be consequently used. Thus the project also encourages active participation in the IETF standardization processes.


    2007-01-01 – 2010-09-30



  1. Tobias Limmer und Falko Dressler, „Flow-based TCP Connection Analysis,“ Proc. of 28th IEEE Intern. Performance Computing and Communications Conference, 2nd IEEE Intern. Workshop on Information and Data Assurance, Phoenix, AZ, USA, Dezember 2009
  2. Tobias Limmer und Falko Dressler, „Flow-based Front Payload Aggregation,“ Proc. of 34th IEEE Conf. on Local Computer Networks : 4th IEEE LCN Workshop on Network Measurements, Zurich, Switzerland, pp. 1102-1109, Oktober 2009
  3. David Eckhoff, Tobias Limmer und Falko Dressler, „Hash Tables for Efficient Flow Monitoring: Vulnerabilities and Countermeasures,“ 34th IEEE Conference on Local Computer Networks (LCN 2009): 4th IEEE LCN Workshop on Network Measurements (WNM 2009), Zurich, Switzerland, pp. 1087-1094, Oktober 2009  
  4. Tobias Limmer und Falko Dressler, „Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems,“ Friedrich-Alexander-Universität, technischer Report 1, 2008
  5. Tobias Limmer und Falko Dressler, „Distributed monitoring and analysis for reactive security,“ Proceedings of SPRING – GI/SIDAR Graduierten-Workshop über Reaktive Sicherheit, Dortmund, Germany, Juli 2007
  6. Falko Dressler, Wolfgang Jaegers und Reinhard German, „Flow-based Worm Detection using Correlated Honeypot Logs,“ Proc. of 15. GI/ITG Fachtagung Kommunikation in Verteilten Systemen, Bern, Switzerland, pp. 181-186, Februar 2007
  7. Jochen Kaiser, Alexander Vitzthum, Peter Holleczek und Falko Dressler, „Automated resolving of security incidents as a key mechanism to fight massive infections of malicious software,“ Proc. of GI SIDAR International Conference on IT-Incident Management & IT-Forensics, Berlin, Stuttgart, Germany, pp. 92-103, Oktober 2006
  8. Ronny T. Lampert, Christoph Sommer, Gerhard Münz und Falko Dressler, „Vermont – A Versatile Monitoring Toolkit Using IPFIX/PSAMP,“ Proc. of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation, Tübingen, Germany, pp. 62-65, September 2006
  9. Falko Dressler, Reinhard German und Peter Holleczek, „Selbstorganisierende Netzwerksensoren und automatisierte Ereigniskorrelation,“ Proc. of BSI-Workshop IT-Frühwarnsysteme, Bonn, Germany, pp. 117-128, Juli 2006
  10. Jochen Kaiser, Alexander Vitzthum, Peter Holleczek und Falko Dressler, „Ein Sicherheitsportal zur Selbstverwaltung und automatischen Bearbeitung von Sicherheitsvorfällen als Schlüsseltechnologie gegen Masseninfektionen,“ Proc. of SPRING – GI/SIDAR, Berlin, Germany, Juli 2006