Abstract
For critical areas, such as the health-care domain, it is common to formalize workflow, traffic-flow and access control via models. Typically security monitoring is used to firstly determine if the system corresponds to the specifications in these models and secondly to deal with threats, e.g. by detecting intrusions, via monitoring rules. The challenge of security monitoring stems mainly from two aspects. First, information in form of models needs to be integrated in the analysis part, e.g. rule creation, visualization, such that the plethora of monitored events are analyzed and represented in a meaningful manner. Second, new intrusion types are basically invisible to established monitoring techniques such as signature-based methods and supervised learning algorithms.
In this paper, we present a pluggable monitoring framework that focuses on the above two issues by linking event information and modelling specification to perform compliance detection and anomaly detection. As input the framework leverages models that define workflows, event information, as well as the underlying network infrastructure. Assuming that new intrusions manifest in anomalous behaviour which cannot be foreseen, we make use of a popular unsupervised machine-learning technique called clustering.
This work is supported by QE LaB - Living Models for Open Systems (FFG 822740), COSEMA - funded by the Tiroler Zukunftsstiftung, and SECTISSIMO (P-20388) FWF project.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA (2001)
Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the Twenty-Eighth Australasian Conference on Computer Science, vol. 38, pp. 333–342. Australian Computer Society, Inc. (2005)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154. USENIX Association (2008)
Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 8. IEEE (2006)
Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Computers & Security 28(1-2), 18–28 (2009)
OMG: Omg uml specification, v2.0 (2005)
Breu, R., Innerhofer-Oberperfler, F., Yautsiukhin, A.: Quantitative assessment of enterprise security system. In: The Third International Conference on Availability, Reliability and Security, pp. 921–928. IEEE (2008)
Innerhofer-Oberperfler, F., Breu, R., Hafner, M.: Living security – collaborative security management in a changing world. In: Parallel and Distributed Computing and Networks/720: Software Engineering. ACTA Press (2011)
Breu, R.: Ten principles for living models-a manifesto of change-driven software engineering. In: 2010 International Conference on Complex, Intelligent and Software Intensive Systems, pp. 1–8. IEEE (2010)
Berre, A.: Service oriented architecture modeling language (soaml)-specification for the uml profile and metamodel for services (upms) (2008)
Popescu, V., Smith, V., Pandit, B.: Service modeling language, version 1.1. W3C recommendation, W3C (May 2009), http://www.w3.org/TR/2009/REC-sml-20090512/
van der Aalst, W.: Formalization and verification of event-driven process chains. Information and Software Technology 41(10), 639–650 (1999)
Mulo, E., Zdun, U., Dustdar, S.: Monitoring web service event trails for business compliance. In: 2009 IEEE International Conference on Service-Oriented Computing and Applications, SOCA, pp. 1–8. IEEE (2009)
Baresi, L., Guinea, S., Plebani, P.: WS-Policy for Service Monitoring. In: Bussler, C.J., Shan, M.-C. (eds.) TES 2005. LNCS, vol. 3811, pp. 72–83. Springer, Heidelberg (2006)
Erradi, A., Maheshwari, P., Tosic, V.: WS-Policy based monitoring of composite web services (2007)
Oldmeadow, J., Ravinutala, S., Leckie, C.: Adaptive Clustering for Network Intrusion Detection. In: Dai, H., Srikant, R., Zhang, C. (eds.) PAKDD 2004. LNCS (LNAI), vol. 3056, pp. 255–259. Springer, Heidelberg (2004)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2(1), 65–104 (1999)
Godik, S., Moses, T. (eds.): eXtensible Access Control Markup Language (XACML) Version 1.0 (February 2003)
Walker-Morgan, D.: Vsftpd backdoor discovered in source code. Website (2011), http://h-online.com/-1272310 (visited: July 4, 2011)
Hoglund, G., Butler, J.: Rootkits: subverting the Windows kernel. Addison-Wesley Professional (2006)
Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly (2004)
Wells, J.: Computer fraud casebook: the bytes that bite. John Wiley & Sons Inc. (2008)
Kozen, D.: Automata and computability. Springer (1997)
McClure, S., Scambray, J., Kurtz, G.: Hacking exposed 6. McGraw-Hill (2009)
Allman, M., Paxson, V., Stevens, W.: RFC 2581 (rfc2581) - TCP Congestion Control. Technical Report 2581 (1999)
Tan, P., Steinbach, M., Kumar, V.: Cluster Analysis: basic concepts and algorithms. In: Introduction to Data Mining. Addison-Wensley (2006)
OMG: Omg xmi specification, v1.2 (2002)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 251–261. ACM (2003)
Leitner, P., Wetzstein, B., Karastoyanova, D., Hummer, W., Dustdar, S., Leymann, F.: Preventing SLA Violations in Service Compositions Using Aspect-Based Fragment Substitution. In: Maglio, P.P., Weske, M., Yang, J., Fantinato, M. (eds.) ICSOC 2010. LNCS, vol. 6470, pp. 365–380. Springer, Heidelberg (2010)
Nicolett, M., Litan, A., Proctor, P.E.: Pattern Discovery With Security Monitoring and Fraud Detection Techniques (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Gander, M., Katt, B., Felderer, M., Breu, R. (2013). Towards a Model- and Learning-Based Framework for Security Anomaly Detection. In: Beckert, B., Damiani, F., de Boer, F.S., Bonsangue, M.M. (eds) Formal Methods for Components and Objects. FMCO 2011. Lecture Notes in Computer Science, vol 7542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35887-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-35887-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35886-9
Online ISBN: 978-3-642-35887-6
eBook Packages: Computer ScienceComputer Science (R0)