Dynatrace banner image

Cloud-Native Security

 

Despite Intrusion Detection Systems (IDSes) becoming more and more sophisticated, its users still struggle with a high number of false-positive alarms and over-alerting, one among many factors that leads to alarm fatigue.​

 

Existing security solutions for rapidly-changing, modern clouds still struggle with too many false-positive alarms. We research methods that provide stronger indicators of compromise and better causal dependencies between events. Hence, we can identify long-running, multi-step cyber attacks while providing context-relevant explanations.

Existing security solutions struggle to keep track with the ever-increasing complexity of modern cloud applications because they often provide too many false-positive or irrelevant alarmsWe envision that the next generation of security solutions need to analyze more aspects of applications at runtime and shall better assess the relevance of security alarms, especially in rapidly-changing and heavily interconnected cloud applications. Research that enables this vision revolves around better ideas to enrich security alarms with contextual knowledge, have causal dependencies between alarms by design, and analyzing security alarms from a variety of data sources. 

On the one hand, wfocus on designing indicators of compromise that are tailored to the application and provide proper context information. On the other hand, we are enriching existing intrusion detection algorithms so that they can process data from a variety of sources, while emphasizing causal links instead of simple correlations. Finally, we implement and evaluate most of our prototypes in modern cloud environments that closely mirror production environments. 

 

Our latest research projects cover the following topics: 

 

  • Reconstruction of long-running, multi-step cyber attacks 
  • Anomaly detection in distributed tracing data 
  • Detection of reconnaissance attempts in web applications 
  • Assessing the severity of vulnerabilities by analyzing their external reachability 

Related publications

Benchmarking Function Hook Latency in Cloud-Native Environments

Researchers and engineers are increasingly adopting cloud-native technologies for application development and performance evaluation. While this has improved the reproducibility of benchmarks in the cloud, the complexity of cloud-native environments makes it difficult to run benchmarks reliably. Cloud-native applications are often instrumented or a...

Mario Kahlhofer, Patrick Kern, Sören Henning, Stefan Rass

| Softwaretechnik-Trends | 2023

Context-Aware Security Intelligence of Vulnerability Scanners in Cloud-native Environments

Even as black-box web vulnerability scanners help identify security vulnerabilities of web applications, they still have problems with false alarms, as they lack insight into the context of applications. Without this supplemental information like the topology of the underlying application or the runtime, scanners cannot precisely assess a threat’s ...

Simon Ammer, Jens Krösche, Markus GierlingerMario Kahlhofer

| ADAPTIVE 2022, The Fourteenth International Conference on Adaptive and Self-Adaptive Systems and Applications | 2022

Rapid Prototyping for Microarchitectural Attacks

In recent years, microarchitectural attacks have been demonstrated to be a powerful attack class. However, as our empirical analysis shows, there are numerous implementation challenges that hinder discovery and subsequent mitigation of these vulnerabilities. In this paper, we examine the attack development process, the features and usability of exi...

Catherine Easdon, Michael Schwarz, Martin Schwarzl, Daniel Gruss

| USENIX Association | 2022

Towards Reconstructing Multi-Step Cyber Attacks in Modern Cloud Environments with Tripwires

Rapidly-changing cloud environments that consist of heavily interconnected components are difficult to secure. Existing solutions often try to correlate many weak indicators to identify and reconstruct multi-step cyber attacks. The lack of a true, causal link between most of these indicators still leaves administrators with a lot of false-positives...

Mario Kahlhofer, Michael Hölzl, Andreas Berger

| Proceedings of the European Interdisciplinary Cybersecurity Conference (EICC) | 2021

Keep exploring the key areas tackled by our research teams