Abstract
Monitoring the behavior of IT-landscapes is the basis for the detection of breaches of non-functional requirements like security. Established methods, such as signature-based monitoring extract features from data instances and compare them to features of the signature database. However, signature-based monitoring techniques have an intrinsic limitation concerning unseen instances of aberrations (or attacks) because new instances have features which are not yet recognized in the signature database. Therefore, anomaly detection has been introduced to automatically detect non-conforming patterns in data. Unfortunately, it is often prohibitively hard to attain labeled training data to employ supervised-learning based approaches. Hence, the application of nonsupervised techniques such as clustering became popular. In this paper, we apply complex event processing rules and clustering techniques leveraging models of an IT-landscape considering workflows, services, and the network infrastructure to detect abnormal behavior. The service and infrastructure layer both have events on their own. Sequences of service events are well-defined, represent a workflow and are counter-checked via complex event processing rules. These service events however trigger infrastructure events, like database activity, and network traffic, which are not modeled. These infrastructure events are then related to the appropriate call traces and clustered among network profiles and database profiles. Outlying service events, nodes, and workflows are detected based on measured deviations to clusters. We present the main properties of our clustering-based anomaly detection approach and relate it to other techniques.
This work is supported by QE LaB - Living Models for Open Systems (FFG 822740), COSEMA - funded by the Tiroler Zukunftsstiftung, and SECTISSIMO (P-20388) FWF project.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Computers & Security 28(1-2), 18–28 (2009)
Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (2001)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)
Eckert, M., Bry, F.: Complex Event Processing, CEP (2009)
OMG: Omg uml specification, v2.0 (2005)
Moses, T.: eXtensible Access Control Markup Language TC v2.0 (XACML) (2005)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2(1), 65–104 (1999)
Walker-Morgan, D.: Vsftpd backdoor discovered in source code. Website (2011), http://h-online.com/-1272310 (accessed: July 20, 2012)
Hoglund, G., Butler, J.: Rootkits: subverting the Windows kernel. Addison-Wesley Professional (2006)
Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly (2004)
Wells, J.: Computer fraud casebook: the bytes that bite. John Wiley & Sons Inc. (2008)
Ye, N., Emran, S.M., Chen, Q., Vilbert, S.: Multivariate Statistical Analysis of Audit Trails for Host-based Intrusion Detection. IEEE Transactions on Computers 51(7), 810–820 (2002)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: LISA, pp. 229–238. USENIX (1999)
Breu, R., Innerhofer-Oberperfler, F., Yautsiukhin, A.: Quantitative assessment of enterprise security system. In: The Third International Conference on Availability, Reliability and Security, pp. 921–928. IEEE (2008)
Innerhofer-Oberperfler, F., Breu, R., Hafner, M.: Living security collaborative security management in a changing world. In: Parallel and Distributed Computing and Networks/720: Software Engineering. ACTA Press (2011)
Xtext, http://www.eclipse.org/Xtext/ (accessed: July 20, 2012)
Mulo, E., Zdun, U., Dustdar, S.: Monitoring web service event trails for business compliance. In: 2009 IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–8. IEEE (2009)
Grohe, S., Schlameu, C., Sommer, R.: Performancevergleich von cep-engines. Technical report, Hochschulschriftenserver der Universitt Stuttgart (Germany) (2010), http://elib.uni-stuttgart.de/opus/oai2/oai2.php
McClure, S., Scambray, J., Kurtz, G.: Hacking exposed 6. McGraw-Hill (2009)
Allman, M., Paxson, V., Stevens, W.: RFC 2581 (rfc2581) - TCP Congestion Control. Technical Report 2581 (1999)
Tan, P., Steinbach, M., Kumar, V.: Cluster Analysis: basic concepts and algorithms. In: Introduction to Data Mining, Addison-Wensley (2006)
Hernandez-Campos, F., Nobel, A.B., Smith, F.D., Jeffay, K.: Understanding patterns of tcp connection usage with statistical clustering. In: 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, pp. 35–44. IEEE (2005)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)
Malerba, D., Esposito, F., Gioviale, V., Tamma, V.: Comparing dissimilarity measures for symbolic data analysis. In: Proceedings of Exchange of Technology and Know-how and New Techniques and Technologies for Statistics, vol. 1, pp. 473–481 (2001)
Oldmeadow, J., Ravinutala, S., Leckie, C.: Adaptive Clustering for Network Intrusion Detection. In: Dai, H., Srikant, R., Zhang, C. (eds.) PAKDD 2004. LNCS (LNAI), vol. 3056, pp. 255–259. Springer, Heidelberg (2004)
Berre, A.: Service oriented architecture modeling language (soaml)-specification for the uml profile and metamodel for services (upms) (2008)
Popescu, V., Smith, V., Pandit, B.: Service modeling language, version 1.1. W3C recommendation, W3C (May 2009), http://www.w3.org/TR/2009/REC-sml-20090512/
van der Aalst, W.: Formalization and verification of event-driven process chains. Information and Software Technology 41(10), 639–650 (1999)
Baresi, L., Guinea, S., Plebani, P.: WS-Policy for service monitoring. In: Technologies for E-Services, pp. 72–83 (2006)
Erradi, A., Maheshwari, P., Tosic, V.: WS-Policy based monitoring of composite web services (2007)
Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the Twenty-eighth Australasian Conference on Computer Science, vol. 38, pp. 333–342 (2005)
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC) 6(4), 471 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gander, M., Felderer, M., Katt, B., Breu, R. (2012). Monitoring Anomalies in IT-Landscapes Using Clustering Techniques and Complex Event Processing. In: Hähnle, R., Knoop, J., Margaria, T., Schreiner, D., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification, and Validation. ISoLA 2011. Communications in Computer and Information Science, vol 336. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34781-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-34781-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34780-1
Online ISBN: 978-3-642-34781-8
eBook Packages: Computer ScienceComputer Science (R0)