Automatic Detection of Internet-based Cyberattacks

Over the last few years, the Internet has been repeatedly used as a medium to launch attacks against computer and communication subsystems. Such attacks, which are usually called cyber-attacks may disable a large number of computers, which may in turn paralyze critical infrastructures including telecommunications, provision of electric power, transportation, water supplies, athletic infrastructure, and commerce. Such cyber-attacks propagate rapidly and may have profound impact.

Our research targets the creation of early warning systems that can detect cyber-attacks quickly and can respond to them efficiently. Our recent focus has been on the direction of designing, implementing, and deploying early-warning systems that are able to detect computer attacks at their infancy.


  • E. Markatos et al. "EAR: Early Warning System fot the automatic detection of Internet-based Cyberattacks", project proposal submitted to GSRT, Call "Cooperation with R & amp; D Organizations outside Europe, Action, Structural Fund #3, Operational Program Competitiveness" , December 2002 (pdf).


  • Spiros Antonatos, Periklis Akritidis, Evangelos P. Markatos and Kostas G. Anagnostakis. Defending against Hitlist Worms using Network Address Space Randomization In Computer Networks, to appear, 2007 (pdf)
  • Spiros Antonatos and Kostas G. Anagnostakis. TAO: Protecting against Hitlist Worms using Transparent Address Obfuscation. In Proceedings of the 10th IFIP Open Conference on Communications and Multimedia Security (CMS'06) (to appear)
  • Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level Polymorphic Shellcode Detection using Emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware & amp; Vulnerability Assessment (DIMVA). July 2006, Berlin, Germany. (pdf)
  • Demetres Antoniades, Manos Athanatos, Antonis Papadogiannakis, Evangelos P. Markatos, Constantine Dovrolis: Available bandwidth measurement as simple as running wget. In Proceedings of the Passive and Active Measurement Conference (PAM2006), March 2006 ( pdf)
  • Kostas G. Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Konstantinos Xinidis, Evangelos Markatos, and Angelos D. Keromytis: Detecting Targeted Attacks Using Shadow Honeypots. In the Proceedings of the 14th USENIX Security Symposium. August 2005, Baltimore, MD. (pdf)
  • P. Akritidis, Kostas Anagnostakis, and E.P. Markatos: Efficient Content-Based Fingerprinting of Zero-Day Worms. Proceedings of the International Conference on Communications (ICC 2005), Seoul, Korea, 16-20 May 2005 (pdf)
  • Kostas Xinidis, Kostas D. Anagnostakis, and Evangelos P. Markatos: Design and Implementation of a High-Performance Network Intrusion Prevention System In the Proceedings 20th IFIP International Information Security Conference (SEC 2005), May 2005 (pdf)
  • P. Akritidis, Evangelos P. Markatos, M. Polychronakis, and Kostas D. Anagnostakis: STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis In the Proceedings 20th IFIP International Information Security Conference (SEC 2005), May 2005 (pdf)
  • S. Antonatos, K. G. Anagnostakis, E. P. Markatos. Generating Realistic Workloads for Network Intrusion Detection Systems. Proceedings of the Fourth International Workshop on Software and Performance (WOSP2004), January 2004 (to appear). (pre-final draft pdf | compressed postscript)


  • Cassandra is a utility that takes as an input a trace file and reports suspicious packets based on distinct destination counts.
  • Packetgrep is a utility that given a trace file, a payload hash, and a payload length, reports all matching packets.

If you would like a copy of the tool, please contact akritid AT






  • Computer immunology S. Forrest, S. Hofmeyr, and A. Somayaji. Communications of the ACM, 40(10), pp. 88-96, 1997.
  • Computer virus-antivirus coevolution Carey Nachenberg. Communications of the ACM, 40(1):47-51, Jan. 1997.
  • New Directions in Traffic Measurement and Accounting C. Estan and G. Varghese, in Proceedings of the ACM SIGGCOMM Conference, 2002.


D1.1 - Requirements analysis
D2.1 - System Design
D3.1 - System Implementation
D4.1 - System Deployment and Evaluation
D5.1 - Commercial Viability Study