Florian Skopik

Florian Skopik
AIT Austrian Institute of Technology | ait · Center for Digital Safety & Security

PhD

About

142
Publications
26,979
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,625
Citations
Introduction
Florian Skopik is Thematic Coordinator of the cyber security research program at Austrian Institute of Technology (AIT). His research topics are centered on critical infrastructure protection, smart grid security and national cyber security and defense. He published more than 100 peer reviewed papers and four academic books in the realm of cyber security

Publications

Publications (142)
Chapter
Full-text available
For many years signature-based intrusion detection has been applied to discover known malware and attack vectors. However, with the advent of malware toolboxes, obfuscation techniques and the rapid discovery of new vulnerabilities, novel approaches for intrusion detection are required. System behavior analysis is a cornerstone to recognizing advers...
Article
Intrusion Detection Systems (IDS) secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed for filtering, grouping, and correlating alerts. However...
Preprint
Full-text available
Intrusion detection systems (IDS) monitor system logs and network traffic to recognize malicious activities in computer networks. Evaluating and comparing IDSs with respect to their detection accuracies is thereby essential for their selection in specific use-cases. Despite a great need, hardly any labeled intrusion detection datasets are publicly...
Chapter
Intrusion Detection Systems (IDSs) monitor all kinds of IT infrastructures to automatically detect malicious activities related to cyber attacks. Unfortunately, especially anomaly-based IDS are known to produce large numbers of alerts, including false positives, that often become overwhelming for manual analysis. However, due to a fast changing thr...
Chapter
Full-text available
Log data is a well-known source for anomaly detection in cyber security. Accordingly, a large number of approaches based on self-learning algorithms have been proposed in the past. Most of these approaches focus on numeric features extracted from logs, since these variables are convenient to use with commonly known machine learning techniques. Howe...
Chapter
This chapter introduces AECID, a new IDS approach, that incorporates many features motivated by recent research results, including the automatic classification of events in a network, their correlation, evaluation, and interpretation up to a dynamically-configurable alerting system. Eventually, we foresee AECID to be a smart sensor for established...
Chapter
Log lines consist of static parts that characterize their structure and enable the assignment of event types, and of variable parts that provide specific information on system processes. Event-based anomaly detection methods, such as clustering, principal component analysis (PCA), and support vector machines, neglect log lines’ variable parts durin...
Chapter
The introduction of clustering techniques enabled outlier detection on log lines independent from their syntax, thereby removing the need for parsers. However, clustering methods only produce static collections of clusters. Therefore, such approaches frequently require a reformation of the clusters in dynamic environments due to changes in technica...
Chapter
Log files give insight into the state of a computer system and enable the detection of anomalous events relevant to cyber security. However, automatically analyzing log data is difficult since it contains massive amounts of unstructured and diverse messages collected from heterogeneous sources. Therefore, several approaches that condense or summari...
Chapter
Log line clusters usually lack meaningful descriptions that are required to understand the information provided by log lines within a cluster. Template generators allow to produce such descriptions in form of patterns that match all log lines within a cluster and therefore describe the common features, e.g., substrings, of the lines. Current approa...
Chapter
A key source of information describing a system’s current state is log data. However, accessing this information for further analysis is often complicated. Usually, log data is available in form of unstructured text lines and there exists no common standard for the appearance of logs. Hence, log parsers are required to pre-process log lines and str...
Chapter
In this book we introduced novel concepts for log data analysis to discover anomalies potentially caused by advanced cyber security attacks. We did not only explain the detailed mechanisms behind these concepts, but also provided hands-on exercises that allow the reader to follow our practical examples, to try out the different algorithms on refere...
Chapter
A well-known method to classify anomalous and normal system behavior is clustering of log lines, which effectively allows to learn about the usual system events and their frequencies. However, this approach has been successfully applied mostly for forensic purposes only, where log data dumps are investigated retrospectively. In order to make this c...
Preprint
Full-text available
Most of today's security solutions, such as security information and event management (SIEM) and signature based IDS, require the operator to evaluate potential attack vectors and update detection signatures and rules in a timely manner. However, today's sophisticated and tailored advanced persistent threats (APT), malware, ransomware and rootkits,...
Book
This book provides insights into smart ways of computer log data analysis, with the goal of spotting adversarial actions. It is organized into 3 major parts with a total of 8 chapters that include a detailed view on existing solutions, as well as novel machine learning techniques that go far beyond state of the art. The first part of this book moti...
Article
Full-text available
The degree of sophistication of modern cyber-attacks has increased in recent years, and in the future these attacks will more and more target cyber-physical systems (CPS). Unfortunately, today’s security solutions that are used for enterprise information technology (IT) infrastructures are not sufficient to protect CPS, which have largely different...
Article
Full-text available
The attribution of cyber attacks is often neglected. The consensus still is that little can be done to prosecute the perpetrators – and unfortunately, this might be right in many cases. What is however only of limited interest for the private industry is in the center of interest for nation states. Investigating if an attack was carried out in the...
Conference Paper
Full-text available
Understanding a computer system's or network's behavior is essential for various tasks such as fault diagnosis, intrusion detection or performance analysis. A key source of information describing a system's current state is log data. However, accessing this information for further analysis is often complicated. Usually, log data is available in for...
Chapter
Full-text available
Big data is an appealing source and often perceived to bear all sorts of hidden information. Filtering out the gemstones of information besides the rubbish that is equally easy to “deduce” is, however, a nontrivial issue. This position paper will open with the motivating problem of risk estimation for an enterprise, using big data. Our illustrative...
Book
Full-text available
Part 2: Workshop and Tutorial Papers
Article
Full-text available
Technological advances and increased interconnectivity have led to a higher risk of previously unknown threats. Cyber Security therefore employs Intrusion Detection Systems that continuously monitor log lines in order to protect systems from such attacks. Existing approaches use string metrics to group similar lines into clusters and detect dissimi...
Article
Full-text available
This paper presents a novel approach to flexibly control the depth of monitoring applied to CPS-enabled safety-critical infrastructures, to timely detect deviations from the desired operational status, and discusses how the application of anomaly detection (AD) techniques can be further leveraged to automatically adapt the security controls of the...
Chapter
Full-text available
Ein Cyber-Lagezentrum ist eine zentrale Organisationseinheit, in der alle relevanten Informationen über Sicherheitsvorfälle zur Aufarbeitung und Bewertung zusammenlaufen. In diesem Zusammenhang sind die richtigen Informations- und Datenquellen unverzichtbare Bestandteile bei der Erstellung von Cyber-Lagebildern. Durch die Auswertung von zahlreichen...
Chapter
Situationsbewusstsein beschäftigt sich mit der Wahrnehmung und dem Verstehen einer Situation sowie der Prognose dieser. Dieses Situationsbewusstsein wird auch im Cyber Raum immer wichtiger, um die aktuelle Lage einschätzen und bewerten zu können. Oftmals wird dies als Cyber-Situationsbewusstsein bezeichnet. Dieses Kapitel beschreibt umfassende Aspe...
Chapter
Full-text available
Der im Rahmen des CISA Projektes erstellte technische Demonstrator wurde in einer eintägigen, iterativen Planspielübung analysiert und für einen möglichen Realeinsatz evaluiert. Die praktische Anwendung des Demonstrators durch die Teilnehmenden stellte einen Abgleich der entwickelten Cyber Incident Situational Awareness (CISA) -Definition mit einer...
Chapter
Spätestens durch die NIS-Richtlinie werden die EU-Mitgliedsstaaten gezwungen, nationale Strukturen, Strategien und Prozesse einzurichten, mit deren Hilfe die Richtlinie angepasst, umgesetzt und auditiert werden soll. Die dabei zu schaffenden Behörden, CERTs, Schnittstellen und Meldestrukturen stellen sowohl für den „Public“ als auch für den „Privat...
Chapter
Full-text available
Jedes informationsverarbeitende System ist in seiner Qualität sehr stark von der Verarbeitung der gesammelten Informationen abhängig. Speziell zur Konstruktion eines sinnvollen Lagebilds ist die Bewertung und Aggregierung von Daten von besonderer Bedeutung, um Muster und Gemeinsamkeiten scheinbar isolierter Incidents erkennen und darstellen zu könn...
Chapter
Grundlage für präzise und nutzbringende sektorspezifische und nationale Cyber-Lagebilder ist der Austausch sicherheitsrelevanter Informationen zwischen Organisationen. Nur durch die Zusammenführung reichhaltiger Informationen über Angriffe und Verwundbarkeiten kann ein Abbild der aktuellen Lage ohne blinde Flecken sinnvoll erstellt werden. Dieses K...
Book
Mit dem Inkrafttreten der NIS Richtlinie haben die EU-Mitgliedsstaaten den Grundstein für all jene Strukturen gelegt, die Cyber Security langfristig gewährleisten sollen. Eine besondere Bedeutung kommt dabei den geplanten NIS Behörden zu, die als Informationsdrehscheiben zwischen privaten Anbietern kritischer Dienstleistungen und staatlichen Einric...
Article
Full-text available
Zusammenfassung Die NIS-Richtlinie verlangt die Schaffung eines Netzwerks von Computer-Notfallteams (CSIRTs-Netzwerk) und verpflichtet die Mitgliedstaaten, zentrale Anlaufstellen und CSIRTs zu errichten. Doch weder in der NIS-Richtlinie noch in der DSGVO oder der Datenschutz-Richtlinie für die Strafverfolgung und Justiz sind ausdrückliche gesetzlic...
Conference Paper
Full-text available
Anomaly detection based on white-listing and self-learning has proven to be a promising approach to detect customized and advanced cyber attacks. Anomaly detection aims at detecting significant deviations from normal system and network behavior. A well-known method to classify anomalous and normal system behavior is clustering of log lines. However...
Chapter
131The smooth operation of critical infrastructures such as telecommunications and electricity supply is essential for our society. In recent years, however, operators of critical infrastructures have increasingly struggled with cybersecurity problems (Langner, 2011). Through the use of standard information and communications technology (ICT) produ...
Article
Full-text available
Current data mining tools are characterized by a plethora of algorithms but a lack of guidelines to select the right method according to the nature of the problem under analysis. Producing such guidelines is a primary goal by the field of meta-learning; the research objective is to understand the interaction between the mechanism of learning and th...
Conference Paper
Since the number of cyber attacks by insider threats and the damage caused by them has been increasing over the last years, organizations are in need for specific security solutions to counter these threats. To limit the damage caused by insider threats, the timely detection of erratic system behavior and malicious activities is of primary importan...
Poster
Network security represents a keystone to ISPs, who need to cope with an increasing number of network attacks that put the network’s integrity at risk. The high-dimensionality of network data provided by current network monitoring systems opens the door to the massive application of machine learning approaches to improve the detection and classific...
Conference Paper
Full-text available
Network security represents a keystone to ISPs, who need to cope with an increasing number of network attacks that put the network's integrity at risk. The high-dimensionality of network data provided by current network monitoring systems opens the door to the massive application of machine learning approaches to improve the detection and classific...
Technical Report
Full-text available
Future smart grids will consist of legacy systems and new ICT components, which are used to support increased monitoring and control capabilities in the low-and medium-voltage grids. In this article, we present a cybersecurity risk assessment method, which involves two interrelated streams of analyses that can be used to determine the risks associa...
Article
Full-text available
Today Information and Communications Technology (ICT) networks are a dominating component of our daily life. Centralized logging allows keeping track of events occurring in ICT networks. Therefore a central log store is essential for timely detection of problems such as service quality degradations, performance issues or especially security-relevan...
Article
Full-text available
Future smart grids will consist of legacy systems and new ICT components, which are used to support increased monitoring and control capabilities in the low- and medium-voltage grids. In this article, we present a cybersecurity risk assessment method, which involves two interrelated streams of analyses that can be used to determine the risks associ...
Article
Today's Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex; moreover, they are extensively interconnected with corporate information systems for cost-efficient monitoring, management and maintenance. This exposes ICSs to modern advanced cyber threats. Existing security solutions try to pr...
Article
Full-text available
Zusammenfassung Bereits 18 Staaten Europas haben laut ENISA eine eigene nationale Cyber-Sicherheitsstrategie erstellt. Darin nehmen nationale Cyber-Lagezentren inzwischen eine zentrale Rolle bei der Abwehr von groß angelegten Cyber-Angriffen ein. Wurde die Informationssammlung und -verteilung über Sicherheitsvorfälle und Bedrohungen anfänglich vor...