Skip to main content
SpringerLink
Log in

Towards a Model- and Learning-Based Framework for Security Anomaly Detection

  • Chapter
Formal Methods for Components and Objects (FMCO 2011)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7542))

Included in the following conference series:

Abstract

For critical areas, such as the health-care domain, it is common to formalize workflow, traffic-flow and access control via models. Typically security monitoring is used to firstly determine if the system corresponds to the specifications in these models and secondly to deal with threats, e.g. by detecting intrusions, via monitoring rules. The challenge of security monitoring stems mainly from two aspects. First, information in form of models needs to be integrated in the analysis part, e.g. rule creation, visualization, such that the plethora of monitored events are analyzed and represented in a meaningful manner. Second, new intrusion types are basically invisible to established monitoring techniques such as signature-based methods and supervised learning algorithms.

In this paper, we present a pluggable monitoring framework that focuses on the above two issues by linking event information and modelling specification to perform compliance detection and anomaly detection. As input the framework leverages models that define workflows, event information, as well as the underlying network infrastructure. Assuming that new intrusions manifest in anomalous behaviour which cannot be foreseen, we make use of a popular unsupervised machine-learning technique called clustering.

This work is supported by QE LaB - Living Models for Open Systems (FFG 822740), COSEMA - funded by the Tiroler Zukunftsstiftung, and SECTISSIMO (P-20388) FWF project.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA (2001)

    Google Scholar 

  2. Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the Twenty-Eighth Australasian Conference on Computer Science, vol. 38, pp. 333–342. Australian Computer Society, Inc. (2005)

    Google Scholar 

  3. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154. USENIX Association (2008)

    Google Scholar 

  4. Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 8. IEEE (2006)

    Google Scholar 

  5. Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Computers & Security 28(1-2), 18–28 (2009)

    Article  Google Scholar 

  6. OMG: Omg uml specification, v2.0 (2005)

    Google Scholar 

  7. Breu, R., Innerhofer-Oberperfler, F., Yautsiukhin, A.: Quantitative assessment of enterprise security system. In: The Third International Conference on Availability, Reliability and Security, pp. 921–928. IEEE (2008)

    Google Scholar 

  8. Innerhofer-Oberperfler, F., Breu, R., Hafner, M.: Living security – collaborative security management in a changing world. In: Parallel and Distributed Computing and Networks/720: Software Engineering. ACTA Press (2011)

    Google Scholar 

  9. Breu, R.: Ten principles for living models-a manifesto of change-driven software engineering. In: 2010 International Conference on Complex, Intelligent and Software Intensive Systems, pp. 1–8. IEEE (2010)

    Google Scholar 

  10. Berre, A.: Service oriented architecture modeling language (soaml)-specification for the uml profile and metamodel for services (upms) (2008)

    Google Scholar 

  11. Popescu, V., Smith, V., Pandit, B.: Service modeling language, version 1.1. W3C recommendation, W3C (May 2009), http://www.w3.org/TR/2009/REC-sml-20090512/

  12. van der Aalst, W.: Formalization and verification of event-driven process chains. Information and Software Technology 41(10), 639–650 (1999)

    Article  Google Scholar 

  13. Mulo, E., Zdun, U., Dustdar, S.: Monitoring web service event trails for business compliance. In: 2009 IEEE International Conference on Service-Oriented Computing and Applications, SOCA, pp. 1–8. IEEE (2009)

    Google Scholar 

  14. Baresi, L., Guinea, S., Plebani, P.: WS-Policy for Service Monitoring. In: Bussler, C.J., Shan, M.-C. (eds.) TES 2005. LNCS, vol. 3811, pp. 72–83. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  15. Erradi, A., Maheshwari, P., Tosic, V.: WS-Policy based monitoring of composite web services (2007)

    Google Scholar 

  16. Oldmeadow, J., Ravinutala, S., Leckie, C.: Adaptive Clustering for Network Intrusion Detection. In: Dai, H., Srikant, R., Zhang, C. (eds.) PAKDD 2004. LNCS (LNAI), vol. 3056, pp. 255–259. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  17. Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2(1), 65–104 (1999)

    Article  Google Scholar 

  18. Godik, S., Moses, T. (eds.): eXtensible Access Control Markup Language (XACML) Version 1.0 (February 2003)

    Google Scholar 

  19. Walker-Morgan, D.: Vsftpd backdoor discovered in source code. Website (2011), http://h-online.com/-1272310 (visited: July 4, 2011)

  20. Hoglund, G., Butler, J.: Rootkits: subverting the Windows kernel. Addison-Wesley Professional (2006)

    Google Scholar 

  21. Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly (2004)

    Google Scholar 

  22. Wells, J.: Computer fraud casebook: the bytes that bite. John Wiley & Sons Inc. (2008)

    Google Scholar 

  23. Kozen, D.: Automata and computability. Springer (1997)

    Google Scholar 

  24. McClure, S., Scambray, J., Kurtz, G.: Hacking exposed 6. McGraw-Hill (2009)

    Google Scholar 

  25. Allman, M., Paxson, V., Stevens, W.: RFC 2581 (rfc2581) - TCP Congestion Control. Technical Report 2581 (1999)

    Google Scholar 

  26. Tan, P., Steinbach, M., Kumar, V.: Cluster Analysis: basic concepts and algorithms. In: Introduction to Data Mining. Addison-Wensley (2006)

    Google Scholar 

  27. OMG: Omg xmi specification, v1.2 (2002)

    Google Scholar 

  28. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 251–261. ACM (2003)

    Google Scholar 

  29. Leitner, P., Wetzstein, B., Karastoyanova, D., Hummer, W., Dustdar, S., Leymann, F.: Preventing SLA Violations in Service Compositions Using Aspect-Based Fragment Substitution. In: Maglio, P.P., Weske, M., Yang, J., Fantinato, M. (eds.) ICSOC 2010. LNCS, vol. 6470, pp. 365–380. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  30. Nicolett, M., Litan, A., Proctor, P.E.: Pattern Discovery With Security Monitoring and Fraud Detection Techniques (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Computer Science, University of Innsbruck, Austria

    Matthias Gander, Basel Katt, Michael Felderer & Ruth Breu

Authors
  1. Matthias Gander
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Basel Katt
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Felderer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ruth Breu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute for Theoretical Informatics, Karlsruhe Institute of Technology (KIT), Am Fasanengarten 5, 76131, Karlsruhe, Germany

    Bernhard Beckert

  2. Department of Computer Science, University of Torino, Corso Svizzera 185, 10149, Torino, Italy

    Ferruccio Damiani

  3. Centre for Mathematics and Computer Science, CWI, Science Park 123,, 1098 XG, Amsterdam, The Netherlands

    Frank S. de Boer

  4. Leiden Institute of Advanced Computer Science (LIACS), Leiden University, P.O. Box 9512, 2300 RA, Leiden, The Netherlands

    Marcello M. Bonsangue

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Gander, M., Katt, B., Felderer, M., Breu, R. (2013). Towards a Model- and Learning-Based Framework for Security Anomaly Detection. In: Beckert, B., Damiani, F., de Boer, F.S., Bonsangue, M.M. (eds) Formal Methods for Components and Objects. FMCO 2011. Lecture Notes in Computer Science, vol 7542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35887-6_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35887-6_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35886-9

  • Online ISBN: 978-3-642-35887-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation