An efficient and scalable intrusion detection system on logs of distributed applications

David Lanoë; Michel Hurfin; Eric Totel; Carlos Maziero

doi:10.1007/978-3-030-22312-0_4

An efficient and scalable intrusion detection system on logs of distributed applications

David Lanoë
, Michel Hurfin
, Eric Totel
, Carlos Maziero

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application’s normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.

Original language	English
Title of host publication	ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings
Editors	Gurpreet Dhillon, Fredrik Karlsson, Karin Hedström, André Zúquete
Publisher	Springer New York LLC
Pages	49-63
Number of pages	15
ISBN (Print)	9783030223113
DOIs	https://doi.org/10.1007/978-3-030-22312-0_4
Publication status	Published - 1 Jan 2019
Externally published	Yes
Event	34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019 - Lisbon, Portugal Duration: 25 Jun 2019 → 27 Jun 2019

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	562
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019
Country/Territory	Portugal
City	Lisbon
Period	25/06/19 → 27/06/19

Keywords

Anomaly detection
Distributed application
Models

Access to Document

10.1007/978-3-030-22312-0_4

Cite this

Lanoë, D., Hurfin, M., Totel, E., & Maziero, C. (2019). An efficient and scalable intrusion detection system on logs of distributed applications. In G. Dhillon, F. Karlsson, K. Hedström, & A. Zúquete (Eds.), ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings (pp. 49-63). (IFIP Advances in Information and Communication Technology; Vol. 562). Springer New York LLC. https://doi.org/10.1007/978-3-030-22312-0_4

Lanoë, David ; Hurfin, Michel ; Totel, Eric et al. / An efficient and scalable intrusion detection system on logs of distributed applications. ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings. editor / Gurpreet Dhillon ; Fredrik Karlsson ; Karin Hedström ; André Zúquete. Springer New York LLC, 2019. pp. 49-63 (IFIP Advances in Information and Communication Technology).

@inproceedings{d910efd58d984089ae0c4e252e877974,

title = "An efficient and scalable intrusion detection system on logs of distributed applications",

abstract = "Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application{\textquoteright}s normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.",

keywords = "Anomaly detection, Distributed application, Models",

author = "David Lano{\"e} and Michel Hurfin and Eric Totel and Carlos Maziero",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2019.; 34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019 ; Conference date: 25-06-2019 Through 27-06-2019",

year = "2019",

month = jan,

day = "1",

doi = "10.1007/978-3-030-22312-0\_4",

language = "English",

isbn = "9783030223113",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "49--63",

editor = "Gurpreet Dhillon and Fredrik Karlsson and Karin Hedstr{\"o}m and Andr{\'e} Z{\'u}quete",

booktitle = "ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings",

}

Lanoë, D, Hurfin, M, Totel, E & Maziero, C 2019, An efficient and scalable intrusion detection system on logs of distributed applications. in G Dhillon, F Karlsson, K Hedström & A Zúquete (eds), ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings. IFIP Advances in Information and Communication Technology, vol. 562, Springer New York LLC, pp. 49-63, 34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019, Lisbon, Portugal, 25/06/19. https://doi.org/10.1007/978-3-030-22312-0_4

An efficient and scalable intrusion detection system on logs of distributed applications. / Lanoë, David; Hurfin, Michel; Totel, Eric et al.
ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings. ed. / Gurpreet Dhillon; Fredrik Karlsson; Karin Hedström; André Zúquete. Springer New York LLC, 2019. p. 49-63 (IFIP Advances in Information and Communication Technology; Vol. 562).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An efficient and scalable intrusion detection system on logs of distributed applications

AU - Lanoë, David

AU - Hurfin, Michel

AU - Totel, Eric

AU - Maziero, Carlos

N1 - Publisher Copyright: © IFIP International Federation for Information Processing 2019.

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application’s normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.

AB - Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application’s normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.

KW - Anomaly detection

KW - Distributed application

KW - Models

U2 - 10.1007/978-3-030-22312-0_4

DO - 10.1007/978-3-030-22312-0_4

M3 - Conference contribution

AN - SCOPUS:85068220455

SN - 9783030223113

T3 - IFIP Advances in Information and Communication Technology

SP - 49

EP - 63

BT - ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings

A2 - Dhillon, Gurpreet

A2 - Karlsson, Fredrik

A2 - Hedström, Karin

A2 - Zúquete, André

PB - Springer New York LLC

T2 - 34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019

Y2 - 25 June 2019 through 27 June 2019

ER -

Lanoë D, Hurfin M, Totel E, Maziero C. An efficient and scalable intrusion detection system on logs of distributed applications. In Dhillon G, Karlsson F, Hedström K, Zúquete A, editors, ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings. Springer New York LLC. 2019. p. 49-63. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-030-22312-0_4

An efficient and scalable intrusion detection system on logs of distributed applications

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this