Distack - A Framework for Distributed Anomaly-based Attack Detection

Distack is a framework for attack detection which allows for an integration of various detection methods as lightweight modules. These modules can be combined easily and arbitrarily. Thus, an adaptation to new situations or an extension of existing systems, which until now in most cases was complex and time-consuming, is simplified. Distack, additionally, can be applied in different runtime environments transparently. This enables an easy evaluation with meaningful and comparable results based on realistic large-scale scenarios, e.g. by using a network simulator like ​OMNeT++ in addition with the topology and traffic generation tool ​ReaSE.

The attack detection methods evaluated in the simulator afterwards can be applied on real systems without additional changes. Thus, a realistic evaluation of attack detection systems and anomaly detection methods developed in the past as well as comparable results can be achieved by using Distack. To support distributed attack detection Distack supports transparent remote messaging. This way local communication inside one Distack instance can be easily extended to remote communication between distributed Distack instances.

Distack allows researchers to completely focus on their methods for attack detection and traffic analysis!

---

News

3. September 2010

• Relaunch of the Distack website in the new KIT (Karlsruhe Institute of Technology) design.

8. June 2010

• Uploaded a graphical user interface tool that can be used for creating and editing Distack configuration files. In addition, OMNeT++ 4.x topologies using Distack instances can be configured using this GUI. Please be aware that this tool is still in beta state and only applicable with OMNeT++ 4.x.

7. June 2010

• Fixed a minor problem with the exemplary topologies. Version number has not been changed.

26. May 2010

• New version 1.2.3-dev fixes a Bug with the ReaSE patch regarding the file DistackOmnetIDS (gate should be named tcpOut instead of TCPOut).

16. May 2010

• Due to newer autotools versions the configure options checking is broken. The new version 1.2.2-dev fixes the issue.

12. May 2010

• Apparently there has been a problem regarding the ReaSE patch while building the archive of the new Distack version. Thus, today the version 1.2.1-dev has been updated and is now containing the correct patch. I'm really sorry for this inconvenience.

10. May 2010

• The problems regarding the ReaSE patch of Distack have been fixed (see ticket 1 for the updated patch file). In addition, a new version (1.2.1-dev) of Distack has been created, which includes the updated patch file as well as some minor bugfixes related to new gcc versions and few enhancements with respect to XML serialization of remote messages. Please see ​Dowload section for the new Distack version 1.2.1-dev.

10. May 2010

• There seems to be a problem regarding the ReaSE patch of Distack (see ticket 1). We are currently working on a solution for this problem. This problem only affects people that are trying to use Distack within the simulator OMNeT++ 4.0. A new version as well as a workaround patch are provided here as soon as we have fixed the problem.

19. May 2009
    • The new Distack v1.2.0 release is now available. In addition to the standalone version, this release can be used together with the network simulator OMNeT++ v4.0. The installation instructions page also has been updated since OMNeT++ and ReaSE have lots of new features and the whole installation process of OMNeT++ and ReaSE has changed.

4. Mar. 2009
   • We will soon release the new Distack v1.2.0. It contains (1) a large number of improvements for running simulations, and (2) lots of bugfixes and improved efficiency.

1. Sep. 2008
   • Distack v1.1.0 has been released. It now contains exemplary simulation models. See the ChangeLog.

29. Aug. 2008
    • Distack and related simulation tools from ITM have been presented at the ​EURECOM Security Research Seminar. See the publications page.

26. Aug. 2008
    • The Distack framework has been presented at the ​SECURWARE08 conference in France. See the publications page.

[ Old news... ]

---

Good Starting Points

• DistackFeatures -- Already available and planned Distack features
• ​DistackDownload -- Download Distack on this page
• DistackInstall -- Starting point for Distack installation instructions
• DistackGuide -- Starting point for Distack documentation
• DistackPublications -- Publications related to Distack
• DistackTeam -- The core developers of Distack
• DistackLicense -- The Distack license

Distack Flyer

For a quick introduction of Distack and its features see the ​Distack flyer.

Simulation

Distack runs transparently in simulations.