Intrusion Detection and Forensic Analysis


Master Seminar


Summer Semester 2017



Preliminary Meeting:

30.01.2017 at 10:30,

Room: 01.09.14 (Alonzo church)


Prof. Dr. Alexander Pretschner

Mohsen Ahmadvand

Alei Salem






1123 (IN2107)

Max. Number of participants



  • Preliminary meeting's slides
  • If you could not attend the preliminary meeting and you're interested in taking part in the seminar, please send us an email with your name and matriculation number.
  • The exact dates of each phase will be announced via moodle after the registration/matching period.
  • The moodle page will be created after the registration/matching period as well.

Rules for participation and registration

  1. Plagiarism of any form (blatant copy-paste, summarizing some else's ideas/results without reference etc.) will result in immediate expulsion from the course.
  2. All submissions are mandatory. Each submission must fulfill a certain level of quality. Submissions that are just collections of buzzword/keywords or coarse document structures will not be accepted. Failing that will be graded 5.0
  3. Late submissions will invite penalties.
  4. Non-adherence to submission guidelines will invite penalties.
  5. Slides must be discussed with the supervisor at least one week before the presentation. Presentation must be held in English.
  6. Participation and attendance in all seminar presentations is mandatory. Students must read the final submissions of their colleagues and participate in the discussions.
  7. Registration for the seminar takes place by the TUM Online Matching System.
  8. Once successfully registered for the seminar:
    1. Students select at most 3 free available individual seminar topics (see below) of their choice.
    2. Send the selected topics via email in a preferred order from 1 (=most preferred topic) to 3 to Mohsen Ahmadvand and Alei Salem
  9. Once assigned a topic, you will receive a confirmation email.
  10. Students must acknowledge their acceptance of the topic and participation in the seminar latest by March 3rd.
  11. Students willing to quit the seminar must send a cancellation email by April 14th. Students' submissions (or lack thereof) will be graded beyond that date.


Security refers to the employment of a set of defense mechanisms against a set of known attacks (through a defined process). In computer systems, absolute security due to many factors (e.g. cost, time, and usability)is unattainable. That is why attackers will always find their ways into the system. However, it is vital to control the damage after a successful attack. For this matter, we need to be able to determine whether a system is compromised or not. While there are different ways to achieve this goal, in this seminar we will look into the state of the art in integrity checking and intrusion detection fields of study. Furthermore,we will look into methods to reconstruct system states from data gathered during runtime (e.g. logs), and techniques to compare different states, in order to disclose any hostile attempts launched against the system,and unravel the reasons behind their success.

The topics to be researched during the seminar include (but are not limited to):

• An analysis of attacks that lead to integrity violation,

• System and process monitoring techniques,

• Application integrity checking via runtime self-monitoring techniques,

• Integrity protection techniques for Docker containers,

• Hypervisor-based integrity protection techniques,

• Security metrics for integrity protection techniques,

• Cost analysis of integrity protection techniques,

• Reconstruction of system state from logging data,

• Visualization of logs and system states (e.g. graphs),

• Mining logs for traces of malicious behaviors, and

• Classification of logs/system states as malicious/benign (using machine learning).

Previous Knowledge Expected

• Basic understanding of security concepts,

• Good programming skills,

• Good understanding of algorithms and data structures,

• Any previous knowledge in forensic analysis would be a plus.


The primary objective of this seminar is to design/employ protection mechanisms to detect system com-promises at various levels upon occurrence. Since this is not always possible we wish to facilitate the post-compromise forensic process. However, the humongous amount of data generated by systems nowadays induces devising mechanisms and tools aid forensic analysts with (a) analyzing logs and reconstructing system states, (b) identifying malicious behaviors and attacks previously launched against the system, and (c) pointing out the vulnerabilities to be mitigated so as to prevent similar incidents in the future. In this context, another objective of this seminar is to introduce students to post-compromise security and forensic analysis. The students are expected to learn about those areas by researching one of the aforementioned research topics, and implementing proof-of-concept tools that demonstrate their topics of choice, if relevant.Lastly, this seminar aims to expose students to the process of scientific research and publishing peer-reviewed works. The students will engage in reading and reviewing the papers of their peers, addressing the comments pointed out by them, and presenting their work to the seminar participants.


Students will survey the literature of one of the research topics assigned to them by their supervisors;they are encouraged to find and read further relevant articles on the topic. At the end of the seminar,students are to submit an exposé that incorporates the knowledge they acquired and the findings of any experiments they conducted whilst researching the topic. The exposé depicts a scientific paper that adopts their own succinct chain of argumentation. Merely paraphrasing and augmenting the contents of original papers is not sufficient. We expect the paper to be maximum 15 pages in Springer LNCS style. We will notaccept any other formats. All submissions must be as PDF files: no other file formats are acceptable. The presentation will be 20 minutes + 10 minutes of discussion.

Material and Suggested papers

• Ghosh, Sudeep, Jason D. Hiser, and Jack W. Davidson. ”A secure and robust approach to softwaretamper resistance.” International Workshop on Information Hiding. Springer Berlin Heidelberg, 2010.

• Chang, Hoi, and Mikhail J. Atallah. ”Protecting software code by guards.” ACM Workshop on DigitalRights Management. Springer Berlin Heidelberg, 2001.

• Neisse, Ricardo, Dominik Holling, and Alexander Pretschner. ”Implementing trust in cloud infras-tructures.” Proceedings of the 2011 11th IEEE/ACM International Symposium on Cluster, Cloud andGrid Computing. IEEE Computer Society, 2011.

• Banescu, Sebastian, et al. ”Code obfuscation against symbolic execution attacks.” Proceedings of the32nd Annual Conference on Computer Security Applications. ACM, 2016.

• Myles, Gideon, and Hongxia Jin. ”A Metric-Based Scheme for Evaluating Tamper Resistant SoftwareSystems.” IFIP International Information Security Conference. Springer Berlin Heidelberg, 2010.

• Buczak, Anna L., and Erhan Guven. ”A survey of data mining and machine learning methods for cybersecurity intrusion detection.” IEEE Communications Surveys & Tutorials 18.2 (2015): 1153-1176.

• Lee, Wenke, Salvatore J. Stolfo, and Kui W. Mok. ”A data mining framework for building intrusiondetection models.” Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on. IEEE,1999.

• Shiravi, Hadi, Ali Shiravi, and Ali A. Ghorbani. ”A survey of visualization systems for networksecurity.” IEEE Transactions on visualization and computer graphics 18.8 (2012): 1313-1329.

• Yen, Ting-Fang, et al. ”Beehive: Large-scale log analysis for detecting suspicious activity in enterprisenetworks.” Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 2013.

• Alspaugh, Sara, et al. ”Analyzing log analysis: An empirical study of user log mining.” 28th LargeInstallation System Administration Conference (LISA14). 2014.