Markus Wurzenberger

AIT Austrian Institute of Technology

Giefinggasse 4

1210 Vienna, Austria

Markus Wurzenberger is a scientist and project manager at AIT Austrian Institute of Technology, located in Vienna, Austria. Since 2014 he is part of the cyber security research group of AIT’s Center for Digital Safety and Security. His main research interests are log data analysis with focus on anomaly detection and cyber threat intelligence (CTI). Besides the involvement in several international and national research projects, Markus is one of the key researchers working on AIT’s anomaly detection project AECID. Among the most prominent solutions developed within this project, Markus and his team created AMiner, a software component for log analysis, which implements several anomaly detection algorithms that base on machine learning (ML) artificial intelligence (AI), and statistics. The AMiner is available as package in the official Debian distribution.

In 2021, Markus finished his PhD in computer science at TU Wien. His thesis focused on resource-efficient log analysis to enable online anomaly detection in cyber security. In 2015 Markus obtained his master’s degree in technical mathematics at the TU Wien. Since 2014 he is a full-time scientist at AIT in the area of cyber security.

news

May 30, 2022	Launch of new website.

selected publications

TOPS
Dealing with Security Alert Flooding: Using Machine Learning for Domain-Independent Alert Aggregation

Landauer, Max, Skopik, Florian, Wurzenberger, Markus, and Rauber, Andreas

ACM Trans. Priv. Secur. Apr 2022

Abs Bib HTML PDF Code Website Data

Intrusion Detection Systems (IDS) secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed for filtering, grouping, and correlating alerts. However, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF that include IP addresses. This makes the application of existing aggregation methods infeasible for alerts from host-based or anomaly-based IDSs that frequently lack such network-related data. In this paper, we therefore present a domain-independent alert aggregation technique. We introduce similarity measures and merging strategies for arbitrary semi-structured alerts and alert groups. Based on these metrics and techniques we propose an incremental procedure for the generation of abstract alert patterns that enable continuous classification of incoming alerts. Evaluations show that our approach is capable of reducing the number of alert groups for human review by around 80% and assigning attack classifiers to the groups with true positive rates of 80% and false positive rates lower than 5%.
@article{10.1145/3510581, author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Rauber, Andreas}, title = {Dealing with Security Alert Flooding: Using Machine Learning for Domain-Independent Alert Aggregation}, year = {2022}, issue_date = {August 2022}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {25}, number = {3}, issn = {2471-2566}, url = {https://doi.org/10.1145/3510581}, doi = {10.1145/3510581}, journal = {ACM Trans. Priv. Secur.}, month = apr, articleno = {18}, numpages = {36}, }
TREL
Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed

Landauer, Max, Skopik, Florian, Wurzenberger, Markus, Hotwagner, Wolfgang, and Rauber, Andreas

IEEE Transactions on Reliability Mar 2021

Abs Bib HTML PDF Website Data

Evaluations of intrusion detection systems (IDS) require log datasets collected in realistic system environments. Existing testbeds therefore offer user simulations and attack scenarios that target specific use-cases. However, not only does the preparation of such testbeds require domain knowledge and time-consuming work, but also maintenance and modifications for other use-cases involve high manual efforts and repeated execution of tasks. In this article, we therefore propose to generate testbeds for IDS evaluation using strategies from model-driven engineering. In particular, our approach models system infrastructure, simulated normal behavior, and attack scenarios as testbed-independent modules. A transformation engine then automatically generates arbitrary numbers of testbeds, each with a particular set of characteristics and capable of running in parallel. Our approach greatly improves configurability and flexibility of testbeds and allows to reuse components across multiple scenarios. We use our proof-of-concept implementation to generate a labeled dataset for IDS evaluation that is published with this article.
@article{9262078, author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Hotwagner, Wolfgang and Rauber, Andreas}, journal = {IEEE Transactions on Reliability}, title = {Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed}, year = {2021}, volume = {70}, number = {1}, pages = {402-415}, doi = {10.1109/TR.2020.3031317}, month = mar, publisher = {IEEE}, }
C&S
System log clustering approaches for cyber security applications: A survey

Landauer, Max, Skopik, Florian, Wurzenberger, Markus, and Rauber, Andreas

Computers & Security May 2020

Abs Bib HTML PDF Website

Log files give insight into the state of a computer system and enable the detection of anomalous events relevant to cyber security. However, automatically analyzing log data is difficult since it contains massive amounts of unstructured and diverse messages collected from heterogeneous sources. Therefore, several approaches that condense or summarize log data by means of clustering techniques have been proposed. Picking the right approach for a particular application domain is, however, non-trivial, since algorithms are designed towards specific objectives and requirements. This paper therefore surveys existing approaches. It thereby groups approaches by their clustering techniques, reviews their applicability and limitations, discusses trends and identifies gaps. The survey reveals that approaches usually pursue one or more of four major objectives: overview and filtering, parsing and signature extraction, static outlier detection, and sequences and dynamic anomaly detection. Finally, this paper also outlines a concept and tool that support the selection of appropriate approaches based on user-defined requirements.
@article{LANDAUER2020101739, title = {System log clustering approaches for cyber security applications: A survey}, journal = {Computers & Security}, volume = {92}, pages = {101739}, year = {2020}, month = may, issn = {0167-4048}, doi = {https://doi.org/10.1016/j.cose.2020.101739}, url = {https://www.sciencedirect.com/science/article/pii/S0167404820300250}, author = {Landauer, Max and Skopik, Florian and Wurzenberger, Markus and Rauber, Andreas}, keywords = {Log clustering, Cyber security, Log mining, Signature extraction, Anomaly detection}, publisher = {Elsevier}, }
C&S
Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection

Landauer, Max, Wurzenberger, Markus, Skopik, Florian, Settanni, Giuseppe, and Filzmoser, Peter

Computers & Security Nov 2018

Abs Bib HTML PDF Website

Technological advances and increased interconnectivity have led to a higher risk of previously unknown threats. Cyber Security therefore employs Intrusion Detection Systems that continuously monitor log lines in order to protect systems from such attacks. Existing approaches use string metrics to group similar lines into clusters and detect dissimilar lines as outliers. However, such methods only produce static views on the data and do not sufficiently incorporate the dynamic nature of logs. Changes of the technological infrastructure therefore frequently require cluster reformations. Moreover, such approaches are not suited for detecting anomalies related to frequencies, periodic alterations and interdependencies of log lines. We therefore propose a dynamic log file anomaly detection methodology that incrementally groups log lines within time windows. Thereby, a novel clustering mechanism establishes links between otherwise isolated collections of clusters. Cluster evolution techniques analyze clusters from neighboring time windows and determine transitions such as splits or merges. A self-learning algorithm then detects anomalies in the temporal behavior of these evolving clusters by analyzing metrics derived from their developments. We apply a prototype in an illustrative scenario consisting of a log file containing known anomalies. We thereby investigate the influences of certain parameters on the detection ability and the runtime. The evaluation of this scenario shows that 61.8% of the dynamic changes of log line clusters are correctly identified, while the false alarm rate is only 0.7%. The ability of efficiently detecting these anomalies while self-adjusting to changes of the system environment suggests the applicability of the introduced approach.
@article{LANDAUER201894, title = {Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection}, journal = {Computers & Security}, volume = {79}, pages = {94-116}, year = {2018}, month = nov, issn = {0167-4048}, doi = {https://doi.org/10.1016/j.cose.2018.08.009}, url = {https://www.sciencedirect.com/science/article/pii/S0167404818306333}, author = {Landauer, Max and Wurzenberger, Markus and Skopik, Florian and Settanni, Giuseppe and Filzmoser, Peter}, publisher = {Elsevier}, }
ARES’17
Incremental Clustering for Semi-Supervised Anomaly Detection Applied on Log Data

Wurzenberger, Markus, Skopik, Florian, Landauer, Max, Greitbauer, Philipp, Fiedler, Roman, and Kastner, Wolfgang

In Proceedings of the 12th International Conference on Availability, Reliability and Security Aug 2017

Abs Bib HTML PDF Code Website

Anomaly detection based on white-listing and self-learning has proven to be a promising approach to detect customized and advanced cyber attacks. Anomaly detection aims at detecting significant deviations from normal system and network behavior. A well-known method to classify anomalous and normal system behavior is clustering of log lines. However, this approach has been applied for forensic purposes only, where log data dumps are investigated retrospectively. In order to make this concept applicable for on-line anomaly detection, i.e., at the time the log lines are produced, some major extensions to existing approaches are required. Especially distance based clustering approaches usually fail building the required large distance matrices and rely on time-consuming recalculations of the cluster-map on every arriving log line. An incremental clustering approach seems suitable to solve this issues. Thus, we introduce a semi-supervised concept for incremental clustering of log data that builds the basis for a novel on-line anomaly detection solution based on log data streams. Its operation is independent from the syntax and semantics of the processed log lines, which makes it generally applicable. We demonstrate that that the introduced anomaly detection approach allows to achieve both a high recall and a high precision while maintaining linear complexity.
@inproceedings{10.1145/3098954.3098973, author = {Wurzenberger, Markus and Skopik, Florian and Landauer, Max and Greitbauer, Philipp and Fiedler, Roman and Kastner, Wolfgang}, title = {Incremental Clustering for Semi-Supervised Anomaly Detection Applied on Log Data}, year = {2017}, month = aug, isbn = {9781450352574}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3098954.3098973}, doi = {10.1145/3098954.3098973}, booktitle = {Proceedings of the 12th International Conference on Availability, Reliability and Security}, articleno = {31}, numpages = {6}, keywords = {log line clustering, intrusion detection, anomaly detection}, location = {Reggio Calabria, Italy}, series = {ARES '17}, }