Towards a Model- and Learning-Based Framework for Security Anomaly Detection

For critical areas, such as the health-care domain, it is common to formalize workflow, traffic-flow and access control via models. Typically security monitoring is used to firstly determine if the system corresponds to the specifications in these models and secondly to deal with threats, e.g. by detecting intrusions, via monitoring rules. The challenge of security monitoring stems mainly from two aspects. First, information in form of models needs to be integrated in the analysis part, e.g. rule creation, visualization, such that the plethora of monitored events are analyzed and represented in a meaningful manner. Second, new intrusion types are basically invisible to established monitoring techniques such as signature-based methods and supervised learning algorithms.

[1]  Schahram Dustdar,et al.  Monitoring web service event trails for business compliance , 2009, 2009 IEEE International Conference on Service-Oriented Computing and Applications (SOCA).

[2]  Wil M. P. van der Aalst,et al.  Formalization and verification of event-driven process chains , 1999, Inf. Softw. Technol..

[3]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[4]  Dexter Kozen,et al.  Automata and Computability , 1997, Undergraduate Texts in Computer Science.

[5]  Anton Chuvakin Linux hacking: Linux intrusion discovery: when security fails , 2004 .

[6]  Christopher Leckie,et al.  Adaptive Clustering for Network Intrusion Detection , 2004, PAKDD.

[7]  Christopher Leckie,et al.  Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters , 2005, ACSC.

[8]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[9]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[10]  Frank Leymann,et al.  Preventing SLA Violations in Service Compositions Using Aspect-Based Fragment Substitution , 2010, ICSOC.

[11]  Fabio Casati,et al.  Technologies for E-Services , 2001, Lecture Notes in Computer Science.

[12]  Ruth Breu,et al.  Living Security - Collaborative Security Management in a Changing World , 2011 .

[13]  Roberto Battiti,et al.  Identifying intrusions in computer networks with principal component analysis , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[14]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[15]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[16]  Brian Elvesæter,et al.  Specifying Services using the Service Oriented Architecture Modeling Language (SoaML) - A Baseline for Specification of Cloud-based Services , 2011, CLOSER.

[17]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[18]  Abdelkarim Erradi,et al.  WS-Policy based Monitoring of Composite Web Services , 2007, Fifth European Conference on Web Services (ECOWS'07).

[19]  Vipin Kumar,et al.  Introduction to Data Mining , 2022, Data Mining and Machine Learning Applications.

[20]  Cyrus Peikari,et al.  Security Warrior , 2004 .

[21]  Joseph T. Wells Computer Fraud Casebook: The Bytes that Bite , 2009 .

[22]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[23]  Ruth Breu Ten Principles for Living Models - A Manifesto of Change-Driven Software Engineering , 2010, 2010 International Conference on Complex, Intelligent and Software Intensive Systems.

[24]  Luciano Baresi,et al.  WS-Policy for Service Monitoring , 2005, TES.

[25]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.