TY - GEN
T1 - Inferring a Distributed Application Behavior Model for Anomaly Based Intrusion Detection
AU - Totel, Eric
AU - Hkimi, Mouna
AU - Hurfin, Michel
AU - Leslous, Mourad
AU - Labiche, Yvan
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/12/9
Y1 - 2016/12/9
N2 - As distributed computations become more and more common in highly distributed environments like the cloud, intrusion detection systems have to follow these paradigms. Anomaly based intrusion detection systems in distributed systems usually rely on a total order of the observed events. However, such hypothesis is often too strong, as in a highly distributed environment the order of the observed events is partially unknown. This paper demonstrates it is possible to infer a distributed application behavior model for intrusion detection, relying only on a partial ordering of events. The originality of the proposed approach is to tackle the problem by combining two types of models that are usually used separately: an automaton modeling the distributed computation, and a list of temporal properties that the computation must comply with. Finally, we apply the approach on two examples, and assess the method on a real distributed application.
AB - As distributed computations become more and more common in highly distributed environments like the cloud, intrusion detection systems have to follow these paradigms. Anomaly based intrusion detection systems in distributed systems usually rely on a total order of the observed events. However, such hypothesis is often too strong, as in a highly distributed environment the order of the observed events is partially unknown. This paper demonstrates it is possible to infer a distributed application behavior model for intrusion detection, relying only on a partial ordering of events. The originality of the proposed approach is to tackle the problem by combining two types of models that are usually used separately: an automaton modeling the distributed computation, and a list of temporal properties that the computation must comply with. Finally, we apply the approach on two examples, and assess the method on a real distributed application.
KW - Anomaly Detection
KW - Distributed Application Modeling
KW - Distributed Systems
KW - Intrusion Detection
KW - Security
UR - https://www.scopus.com/pages/publications/85013783486
U2 - 10.1109/EDCC.2016.13
DO - 10.1109/EDCC.2016.13
M3 - Conference contribution
AN - SCOPUS:85013783486
T3 - Proceedings - 2016 12th European Dependable Computing Conference, EDCC 2016
SP - 53
EP - 64
BT - Proceedings - 2016 12th European Dependable Computing Conference, EDCC 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 12th European Dependable Computing Conference, EDCC 2016
Y2 - 5 September 2016 through 9 September 2016
ER -