Kontakt

Universität Oldenburg
Fakultät II – Department für Informatik
Abteilung Safety-Security-Interaction
26111 Oldenburg

Sekretariat

Ingrid Ahlhorn

+49 (0) 441 - 798 2426

I 11 0-014

Industriestrasse 11, 26121 Oldenburg

Safety-Security-Interaction

Herzlich willkommen auf den Webseiten der Abteilung für Safety-Security-Interaction!

Die Abteilung für Safety-Security-Interaction beschäftigt sich mit der Entwicklung theoretisch fundierter Verfahren zur Wahrung der Sicherheit (security) von IT-Systemen im Kontext sicherheitskritischer Systeme und des Internets der Dinge. Schwerpunkt ist die Entwicklung von Sicherheitslösungen, welche auf die Kontext-spezifischen Rahmenbedingungen zugeschnitten sind und verschiedenartige Benutzerinteraktionen (interaction) sowie die funktionale Sicherheit (safety) der zu schützenden Systeme berücksichtigen.

Nachrichten

  • Nikkels Fotografie

Erfolgreiche Verteidigung Doktorarbeit von Thijs van Ede

Thijs van Ede hat seine Doktorarbeit mit dem Titel „Comprehending Security Events - Context-Based Identification and Explanation” am 24. November 2023 erfolgreich verteidigt. Herzlichen Glückwunsch!

Am 24. November 2023 hat Thijs van Ede seine Doktorarbeit mit dem Titel „Comprehending Security Events - Context-Based Identification and Explanation” erfolgreich verteidigt.

Die Betreuer der Arbeit waren Prof. Dr. Andreas Peter (Carl von Ossietzky Universität Oldenburg), Prof. Dr. Maarten van Steen (Universität Twente, Niederlande), und Dr. Andrea Continella (Universität Twente, Niederlande).

Ferner waren folgende Kommissionsmitglieder in der Bewertung der Arbeit involviert:

  • Prof. Dr. Giancarlo Guizzardi, Universität Twente, Niederlande (Kommissionsvorsitzender)
  • Prof. Dr. Marieke Huisman, Universität Twente, Niederlande
  • Prof. Dr. Roland van Rijswijk-Deij, Universität Twente, Niederlande
  • Prof. Dr. Herbert Bos, Vrije Universiteit Amsterdam, Niederlande
  • Prof. Dr. Stefano Zanero, Politecnico di Milano, Italien
  • Dr. Marco Caselli, Siemens AG, Deutschland

Es folgt eine kurze Zusammenfassung der Doktorarbeit (auf Englisch):

With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss. As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity. By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization. This detection can be done internally or is outsourced to a Security Operations Center (SOC). The SOC deploys automated detectors that monitor devices and network traffic for suspicious events, which are subsequently sent to the SOC. Here, security operators manually analyze these events, verify whether they constitute an attack and, if required, take action.

Analyzing security events is not straightforward and requires highly skilled operators. We identified three major challenges that operators face during analysis:

  1. Operators need to invest time to keep up with the latest developments in attack patterns to accurately identify threats and find appropriate mitigations.
  2. Operators analyze a vast number of events, which often leads to alert fatigue where operators investigate so many events it impairs their ability to correctly distinguish malicious behavior from falsely flagged events.
  3. Operators require sufficient contextual information to assess security events.

This work aims to better understand security events and applies that knowledge to develop approaches that assist (semi-)automated analysis. Concretely, we first investigate the process of sharing threat intelligence through reports describing high-level tactics and techniques used by attackers. In doing so, we develop a natural language processing framework that automatically extracts actionable threat intelligence and classifies it into the ATT&CK knowledge base, a framework describing threat models and methodologies. Second, we study the event investigation process known as triaging. Here, we develop an approach that semi-automatically analyses security events in the context of other security events to determine the overall risk level. Third, we deeper investigate security events on the network level and devise an approach that clusters encrypted network traffic according to the application that produced it. This allows security operators a deeper understanding of network traffic and allows them to more effectively block malicious activity. Finally, we perform a case study where we apply the methods developed in this work to the domain of identity and access management policies to identify misconfigurations. This case study demonstrates the potential for our methods in future work.

Combining these findings, we conclude that these approaches bring us a step closer to understanding security events and providing adequate responses.

Link zur Doktorarbeit:

Webmaster (Stand: 20.08.2024)  | 
Zum Seitananfang scrollen Scroll to the top of the page