E h u – Nu–º™§ŽM™ –™§†•€™§A––Zh Du–uh– •E zientesNetzwerkmonitoringfürAngri serkennungDerTechnischenFakultätderUniversitätErlangen-NürnbergzurErlangungdesGradesDOKTOR-INGENIEURvorgelegtvonTobiasLimmerErlangen-óþÕÕAlsDissertationgenehmigtvonderTechnischenFakultätderUniversitätErlangen-NürnbergTagderEinreichung: .AprilóþÕÕTagderPromotion: ó .JunióþÕÕDekan: Prof.Dr.-Ing.ReinhardGerman . Berichterstatter: Univ.-Prof.Dr.-Ing.FalkoDressler . Berichterstatter: Prof.Dr.-Ing.FelixFreilingAbstractTechniquesfornetwork-basedintrusiondetectionhavebeenevolvingforyears,andthefocusofmostresearchisondetectionalgorithms,althoughnetworksaredistributedanddynamicallymanagednowadays. Adataprocessingframeworkisrequiredthatallowstoembedmultipledetectiontechniquesandtoprovidedatawiththeneededaggregationlevels. Withinthatframework, thisworkconcentratesonmethodsthatimprovetheinteroperabilityofintrusiondetectiontechniquesandfocusesondatapreprocessingstagesthatperformdataevaluationandintelligentdataltering.AŸerpresentingasurveyofthechainofprocessesneededfornetwork-basedintrusiondetection,IdiscusstheevaluationofTCPconnectionstatesbasedonaggregated owdata. Idevelopclassi ersthatinterpret owdatainregardoffailedandsuccessfulcon-nections.eseclassi ersareespeciallyrelevantforanomaly-basedintrusiondetectiontechniqueslikeportscanormalwaredetection,andenablemanyofthesetechniquestooperateon ow-leveldatainsteadofpacket-leveldata.