High Speed Network Monitoring and Analyis




  • collaboration with TU Munich
  • supported by EU project DIADEM
  • supported by BMBF project 3GET
  • supported by Audi AG
  • supported by BSI project monk-it
  • supported by DFG travel grants



The aim of this project is to build an architecture, methods, and tools for distributed network analysis. The HISTORY analysis environment makes it possible to collect information about network traffic and its behavior in distributed high-speed network environments. The employment of standardized protocols (IETF IPFIX, PSAMP, and NSIS) results in an extensible architecture. A main objective is to develop methodologies for handling high amounts of statistics and packet data even with cheap low-end components. A second goal is to search for optimized methodologies for attack and intrusion detection and traceback mechanisms. The emphasis lies on probabilistic methods. Additionally, the distributed analysis of the data in autonomously working simple entities is studied. Visualization techniques and anonymization methods round off the big picture of a visionary environment for all network monitoring and analyzing challenges. All the developed tools will be available under an open source license.

Research Goals and Objectives

  • Cooperative autonomous entities with distributed functioning
  • Emergent behavior through adaptive self-organization
  • Operation in high-speed networks while utilizing standard PC components
  • Wide application range from accounting and charging up to traffic engineering, intrusion detection, and traceback
  • Anonymization techniques for wide applicability

Research Areas

  • Network Monitoring
    netflow accounting and packet sampling
  • Traffic Analysis
    accounting, attack and intrusion detection, and traceback
  • Experimental Environment
    traffic generation, simulation, and automated testbed setup

Selected Publications

  • Tobias Limmer and Falko Dressler, "Seamless Dynamic Reconfiguration of Flow Meters: Requirements and Solutions," Proceedings of 16. GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2009), Kassel, Germany, March 2009, pp. 179–190. [DOI, BibTeX, Details...]
  • Tobias Limmer and Falko Dressler, "Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems," Department of Computer Science 7, Technical Report, 01/08, April 2008. [BibTeX, Details...]
  • Falko Dressler, Wolfgang Jaegers and Reinhard German, "Flow-based Worm Detection using Correlated Honeypot Logs," Proceedings of 15. GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007), Bern, Switzerland, February 2007, pp. 181–186. [BibTeX, Details...]
  • Fabian Haibl and Falko Dressler, "Anonymization of Measurement and Monitoring Data: Requirements and Solutions," Praxis der Informationsverarbeitung und Kommunikation (PIK), vol. 29 (4), pp. 208–213, December 2006. [DOI, BibTeX, Details...]
  • Falko Dressler and Gerhard Münz, "Flexible Flow Aggregation for Adaptive Network Monitoring," Proceedings of 31st IEEE Conference on Local Computer Networks (LCN 2006), 1st IEEE LCN Workshop on Network Measurements (WNM 2006), Tampa, FL, November 2006, pp. 702–709. [DOI, BibTeX, Details...]
  • Jochen Kaiser, Alexander Vitzthum, Peter Holleczek and Falko Dressler, "Automated resolving of security incidents as a key mechanism to fight massive infections of malicious software," Proceedings of GI SIDAR International Conference on IT-Incident Management and IT-Forensics (IMF 2006), vol. LNI P-97, Stuttgart, Germany, October 2006, pp. 92–103. [BibTeX, Details...]
  • Ronny T. Lampert, Christoph Sommer, Gerhard Münz and Falko Dressler, "Vermont - A Versatile Monitoring Toolkit for IPFIX and PSAMP," Proceedings of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany, September 2006, pp. 62–65. [BibTeX, PDF and Details...]
  • Falko Dressler, "Policy-based traffic generation for IP-based networks," Proceedings of 25th IEEE Conference on Computer Communications (INFOCOM 2006), Poster Session, Barcelona, Spain, April 2006. [BibTeX, Details...]
  • Gerhard Münz, Albert Antony, Falko Dressler and Georg Carle, "Using Netconf for Configuring Monitoring Probes," Proceedings of 12th IEEE/IFIP Network Operations & Management Symposium (NOMS 2006), Poster Session, Vancouver, Canada, April 2006, pp. 1–4. [DOI, BibTeX, Details...]
  • Falko Dressler and Georg Carle, "HISTORY - High Speed Network Monitoring and Analysis," Proceedings of 24th IEEE Conference on Computer Communications (INFOCOM 2005), Poster Session, Miami, FL, March 2005. [BibTeX, Details...]
  • Falko Dressler, Gerhard Münz and Georg Carle, "Attack Detection using Cooperating Autonomous Detection Systems (CATS)," Proceedings of 1st IFIP International Workshop on Autonomic Communication (WAC 2004), Poster Session, Berlin, Germany, October 2004. [BibTeX, Details...]