Inferring a Distributed Application Behavior Model for Anomaly Based Intrusion Detection

As distributed computations become more and more common in highly distributed environments like the cloud, intrusion detection systems have to follow these paradigms. Anomaly based intrusion detection systems in distributed systems usually rely on a total order of the observed events. However, such hypothesis is often too strong, as in a highly distributed environment the order of the observed events is partially unknown. This paper demonstrates it is possible to infer a distributed application behavior model for intrusion detection, relying only on a partial ordering of events. The originality of the proposed approach is to tackle the problem by combining two types of models that are usually used separately: an automaton modeling the distributed computation, and a list of temporal properties that the computation must comply with. Finally, we apply the approach on two examples, and assess the method on a real distributed application.

[1]  David Lo,et al.  Learning extended FSA from software: An empirical assessment , 2012, J. Syst. Softw..

[2]  Colin J. Fidge,et al.  Timestamps in Message-Passing Systems That Preserve the Partial Ordering , 1988 .

[3]  Leonardo Mariani,et al.  Automatic generation of software behavioral models , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[4]  Ludovic Mé,et al.  A Language Driven Intrusion Detection System for Event and Alert Correlation , 2004 .

[5]  Jerome A. Feldman,et al.  On the Synthesis of Finite-State Machines from Samples of Their Behavior , 1972, IEEE Transactions on Computers.

[6]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[7]  Leonardo Mariani,et al.  Dynamic Detection of COTS Component Incompatibility , 2007, IEEE Software.

[8]  Jean Goubault-Larrecq,et al.  A Smell of Orchids , 2008, RV.

[9]  Madhavan Mukund,et al.  Synthesizing Distributed Finite-State Systems from MSCs , 2000, CONCUR.

[10]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[11]  Thierry Jéron,et al.  A general approach to trace-checking in distributed computing systems , 1994, 14th International Conference on Distributed Computing Systems.

[12]  Giuseppe Lipari,et al.  Principles of Distributed Systems , 2011, Lecture Notes in Computer Science.

[13]  David Lo,et al.  Automatic steering of behavioral model inference , 2009, ESEC/SIGSOFT FSE.

[14]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[15]  Yuriy Brun,et al.  Mining temporal invariants from partially ordered logs , 2011, OPSR.

[16]  Friedemann Mattern,et al.  Virtual Time and Global States of Distributed Systems , 2002 .

[17]  Ivan Beschastnikh,et al.  Modeling Systems from Logs of their Behavior , 2013 .

[18]  Marco Pistore,et al.  Nusmv version 2: an opensource tool for symbolic model checking , 2002, CAV 2002.

[19]  Giovanni Vigna,et al.  Real-time intrusion detection alert correlation , 2006 .

[20]  Yuriy Brun,et al.  Inferring models of concurrent systems from logs of their behavior with CSight , 2014, ICSE.