research-article

Complex event processing for reactive security monitoring in virtualized computer systems

Authors:

Lars Baumgärtner,

Christian Strack,

Bastian Hoßbach,

Marc Seidemann,

Bernhard Seeger,

Bernd FreislebenAuthors Info & Claims

DEBS '15: Proceedings of the 9th ACM International Conference on Distributed Event-Based Systems

Pages 22 - 33

https://doi.org/10.1145/2675743.2771829

Published: 24 June 2015 Publication History

Abstract

The number of security incidents in computer systems is steadily increasing, despite intrusion detection and prevention mechanisms deployed as countermeasures. Many existing intrusion detection and prevention systems struggle to keep up with new threats posed by zero-day attacks and/or have serious performance impacts through extensive monitoring, questioning their effectiveness in most real-life scenarios. In this paper, we present a new approach for reactive security monitoring in a virtualized computer environment based on minimally-intrusive dynamic sensors deployed vertically across virtualization layers and horizontally within a virtual machine instance. The sensor streams are analyzed using a novel federation of complex event processing engines and an optimized query index to maximize the performance of continuous queries, and the results of the analysis are used to trigger appropriate actions on different virtualization layers in response to detected security anomalies. Furthermore, a novel event store that supports fast event logging is utilized for offline analysis of collected historical data. Experiments show that the proposed system can execute tens of thousands of complex, stateful detection rules simultaneously and trigger actions efficiently and with low latency.

References

[1]

M. K. Aguilera, R. E. Strom, D. C. Sturman, M. Astley, and T. D. Chandra. Matching events in a content-based subscription system. In Proc. of the Symposium on Principles of Distributed Computing, pages 53--61, 1999.

Digital Library

[2]

A. Ailamaki, D. J. DeWitt, M. D. Hill, and M. Skounakis. Weaving relations for cache performance. In Proc. of the Int. Conf. on Very Large Data Bases (VLDB), VLDB '01, pages 169--180, 2001.

Digital Library

[3]

M. A. Bender, M. Farach-Colton, J. T. Fineman, Y. R. Fogel, B. C. Kuszmaul, and J. Nelson. Cache-oblivious streaming b-trees. In Proc. of the Symposium on Parallel Algorithms and Architectures, pages 81--92, 2007.

Digital Library

[4]

I. Botan, Y. Cho, R. Derakhshan, N. Dindar, A. Gupta, L. Haas, K. Kim, C. Lee, G. Mundada, M.-C. Shan, N. Tatbul, Y. Yan, B. Yun, and J. Zhang. A demonstration of the maxstream federated stream processing system. In Prof. of the Int. Conf. on Data Engineering (ICDE), pages 1093--1096, March 2010.

[5]

Z. Cao, S. Chen, F. Li, M. Wang, and X. S. Wang. Logkv: Exploiting key-value stores for log processing. In Proc. of the Biennial Conference on Innovative Data Systems Research (CIDR), 2013.

[6]

L. Deri, S. Mainardi, and F. Fusco. tsdb: A compressed database for time series. In A. Pescapè, L. Salgarelli, and X. Dimitropoulos, editors, Traffic Monitoring and Analysis, volume 7189 of Lecture Notes in Computer Science, pages 143--156. 2012.

Digital Library

[7]

A. Forget, S. Komanduri, A. Acquisti, N. Christin, L. F. Cranor, and R. Telang. Building the security behavior observatory: An infrastructure for long-term monitoring of client machines. In Proc. of the Symposium and Bootcamp on the Science of Security, HotSoS '14, pages 24:1--24:2, 2014.

Digital Library

[8]

T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, pages 191--206, Feb. 2003.

[9]

J. Gionta, A. Azab, W. Enck, P. Ning, and X. Zhang. Dacsa: A decoupled architecture for cloud security analysis. In 7th Workshop on Cyber Security Experimentation and Test (CSET 14), Aug. 2014.

Digital Library

[10]

L. Golab, T. Johnson, J. S. Seidel, and V. Shkapenyuk. Stream warehousing with datadepot. In Proc. of the Int. Conf. on Management of data (SIGMOD), SIGMOD '09, pages 847--854, 2009.

Digital Library

[11]

V. Gulisano, R. Jiménez-Peris, M. Patiño-Martínez, C. Soriente, and P. Valduriez. Streamcloud: An elastic and scalable data streaming system. Trans. on Parallel and Distributed Systems (TPDS), 23(12):2351--2365, Dec 2012.

Digital Library

[12]

Y. H. Harold Lim and S. Babu. How to fit when no one size fits. In Proc. of the Biennial Conf. on Innovative Data Systems Research (CIDR), 2013.

[13]

B. Hoßbach, N. Glombiewski, A. Morgen, F. Ritter, and B. Seeger. Jepc: Java event processing connectivity. Datenbank-Spektrum, 13(3):167--178, 2013.

[14]

B. Hoßbach and B. Seeger. Anomaly management using complex event processing. In Proc. of the Int. Conf. on Extending Database Technology (EDBT), pages 149--154, 2013.

Digital Library

[15]

T. Johnson and V. Shkapenyuk. Data stream warehousing in tidalrace. In Proc. Biennial Conf. on Innovative Data Systems Research (CIDR), 2015.

[16]

M. Sadoghi and H.-A. Jacobsen. Analysis and optimization for boolean expression indexing. Trans. Database Syst. (TODS), 38(2):8:1--8:47, July 2013.

Digital Library

[17]

A. P. Sheth and J. A. Larson. Federated database systems for managing distributed, heterogeneous, and autonomous databases. ACM Comput. Surv., 22(3):183--236, Sept. 1990.

Digital Library

[18]

D. Srinivasan, Z. Wang, X. Jiang, and D. Xu. Process out-grafting: An efficient "out-of-vm" approach for fine-grained process execution monitoring. In Proc. of the Conf. on Computer and Communications Security, CCS '11, pages 363--374, 2011.

Digital Library

[19]

H. T. Vo, S. Wang, D. Agrawal, G. Chen, and B. C. Ooi. Logbase: A scalable log-structured database system in the cloud. Proc. VLDB Endow., 5(10):1004--1015, June 2012.

Digital Library

[20]

S. Wang, D. Maier, and B. C. Ooi. Lightweight indexing of observational data in log-structured storage. In Proc. VLDB Endow., pages 529--540, 2014.

Digital Library

[21]

S. E. Whang, H. Garcia-Molina, C. Brower, J. Shanmugasundaram, S. Vassilvitskii, E. Vee, and R. Yerneni. Indexing boolean expressions. Proc. VLDB Endow., 2(1):37--48, Aug. 2009.

Digital Library

Cited By

Villaça LSiqueira SAzevedo L(2023)EPAComp: An Architectural Model for EPA CompositionProceedings of the XIX Brazilian Symposium on Information Systems10.1145/3592813.3592889(61-69)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3592813.3592889
T. N. NPramod D(2023)Insider Intrusion Detection Techniques: A State-of-the-Art ReviewJournal of Computer Information Systems10.1080/08874417.2023.217533764:1(106-123)Online publication date: 14-Feb-2023
https://doi.org/10.1080/08874417.2023.2175337
Amir AKolchinsky ISchuster AIves ZBonifati AEl Abbadi A(2022)DLACEP: A Deep-Learning Based Framework for Approximate Complex Event ProcessingProceedings of the 2022 International Conference on Management of Data10.1145/3514221.3526136(340-354)Online publication date: 10-Jun-2022
https://dl.acm.org/doi/10.1145/3514221.3526136
Show More Cited By

Index Terms

Complex event processing for reactive security monitoring in virtualized computer systems

Recommendations

Virtual Machine Introspection based Cloud Monitoring Platform
CompSysTech '18: Proceedings of the 19th International Conference on Computer Systems and Technologies

Virtual Machine Introspection (VMI) is an emerging family of techniques for extracting data from virtual machines without the use of active monitoring probes within the target machines themselves. In VMI based systems, the data is collected at the ...
Solving manufacturing equipment monitoring through efficient complex event processing: DEBS grand challenge
DEBS '12: Proceedings of the 6th ACM International Conference on Distributed Event-Based Systems

In this paper, we present an efficient complex event processing system tailored toward monitoring a large-scale setup of manufacturing equipment. In particular, the key challenge in the equipment monitoring is to develop an event-based system for ...
Complex event processing with T-REX

Several application domains involve detecting complex situations and reacting to them. This asks for a Complex Event Processing (CEP) middleware specifically designed to timely process large amounts of event notifications as they flow from the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

DEBS '15: Proceedings of the 9th ACM International Conference on Distributed Event-Based Systems

June 2015

385 pages

ISBN:9781450332866

DOI:10.1145/2675743

General Chairs:
Frank Eliassen
University of Oslo, Norway
,
Roman Vitenberg
University of Oslo, Norway

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 June 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

German Federal Ministry of Education and Research (Bundesministerium fur Bildung und Forschung, BMBF)

Conference

DEBS '15

Sponsor:

DEBS '15: The 9th ACM International Conference on Distributed Event-Based Systems

June 29 - July 3, 2015

Oslo, Norway

Acceptance Rates

Overall Acceptance Rate 145 of 583 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
611
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Villaça LSiqueira SAzevedo L(2023)EPAComp: An Architectural Model for EPA CompositionProceedings of the XIX Brazilian Symposium on Information Systems10.1145/3592813.3592889(61-69)Online publication date: 29-May-2023
https://dl.acm.org/doi/10.1145/3592813.3592889
T. N. NPramod D(2023)Insider Intrusion Detection Techniques: A State-of-the-Art ReviewJournal of Computer Information Systems10.1080/08874417.2023.217533764:1(106-123)Online publication date: 14-Feb-2023
https://doi.org/10.1080/08874417.2023.2175337
Amir AKolchinsky ISchuster AIves ZBonifati AEl Abbadi A(2022)DLACEP: A Deep-Learning Based Framework for Approximate Complex Event ProcessingProceedings of the 2022 International Conference on Management of Data10.1145/3514221.3526136(340-354)Online publication date: 10-Jun-2022
https://dl.acm.org/doi/10.1145/3514221.3526136
Nisha TPramod D(2022)Sequential event-based detection of network attacks on CSE CIC IDS 2018 data set – Application of GSP and IPAM Algorithm2022 International Conference on Computing, Communication, Security and Intelligent Systems (IC3SIS)10.1109/IC3SIS54991.2022.9885438(1-7)Online publication date: 23-Jun-2022
https://doi.org/10.1109/IC3SIS54991.2022.9885438
Seidemann MGlombiewski NKörber MSeeger B(2019)ChronicleDBACM Transactions on Database Systems10.1145/334235744:4(1-45)Online publication date: 15-Oct-2019
https://dl.acm.org/doi/10.1145/3342357
Al Bassit ASkhiri SAmmar H(2019)LEADProceedings of the 13th ACM International Conference on Distributed and Event-based Systems10.1145/3328905.3329501(91-102)Online publication date: 24-Jun-2019
https://dl.acm.org/doi/10.1145/3328905.3329501
Ramaki ARasoolzadegan ABafghi A(2018)A Systematic Mapping Study on Intrusion Alert Analysis in Intrusion Detection SystemsACM Computing Surveys10.1145/318489851:3(1-41)Online publication date: 22-Jun-2018
https://dl.acm.org/doi/10.1145/3184898
Macedo RGhamri-Doudane YNogueira M(2017)A Survival Performance degrAdation fRamework for lArge-scale neTworked systems2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)10.23919/INM.2017.7987384(852-857)Online publication date: May-2017
https://doi.org/10.23919/INM.2017.7987384
Thanhofer-Pilisch JRabiser RKrismayer TVierhauser MGrünbacher PWallner SSeyerlehner KZeisel H(2017)An Event-based Capture-and-Compare Approach to Support the Evolution of Systems of SystemsProceedings of the 11th ACM International Conference on Distributed and Event-based Systems10.1145/3093742.3093909(261-270)Online publication date: 8-Jun-2017
https://dl.acm.org/doi/10.1145/3093742.3093909
Detken KJahnke MKleiner CRohde M(2017)Combining Network Access Control (NAC) and SIEM functionality based on open source2017 9th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS)10.1109/IDAACS.2017.8095094(300-305)Online publication date: Sep-2017
https://doi.org/10.1109/IDAACS.2017.8095094
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents