TY - GEN
T1 - An efficient and scalable intrusion detection system on logs of distributed applications
AU - Lanoë, David
AU - Hurfin, Michel
AU - Totel, Eric
AU - Maziero, Carlos
N1 - Publisher Copyright:
© IFIP International Federation for Information Processing 2019.
PY - 2019/1/1
Y1 - 2019/1/1
N2 - Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application’s normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.
AB - Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application’s normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.
KW - Anomaly detection
KW - Distributed application
KW - Models
UR - https://www.scopus.com/pages/publications/85068220455
U2 - 10.1007/978-3-030-22312-0_4
DO - 10.1007/978-3-030-22312-0_4
M3 - Conference contribution
AN - SCOPUS:85068220455
SN - 9783030223113
T3 - IFIP Advances in Information and Communication Technology
SP - 49
EP - 63
BT - ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Proceedings
A2 - Dhillon, Gurpreet
A2 - Karlsson, Fredrik
A2 - Hedström, Karin
A2 - Zúquete, André
PB - Springer New York LLC
T2 - 34th IFIP TC 11 International Conference on Information Security and Privacy Protection, SEC 2019
Y2 - 25 June 2019 through 27 June 2019
ER -