Towards a Model- and Learning-Based Framework for Security Anomaly Detection

  • Matthias Gander
  • Basel Katt
  • Michael Felderer
  • Ruth Breu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7542)


For critical areas, such as the health-care domain, it is common to formalize workflow, traffic-flow and access control via models. Typically security monitoring is used to firstly determine if the system corresponds to the specifications in these models and secondly to deal with threats, e.g. by detecting intrusions, via monitoring rules. The challenge of security monitoring stems mainly from two aspects. First, information in form of models needs to be integrated in the analysis part, e.g. rule creation, visualization, such that the plethora of monitored events are analyzed and represented in a meaningful manner. Second, new intrusion types are basically invisible to established monitoring techniques such as signature-based methods and supervised learning algorithms.

In this paper, we present a pluggable monitoring framework that focuses on the above two issues by linking event information and modelling specification to perform compliance detection and anomaly detection. As input the framework leverages models that define workflows, event information, as well as the underlying network infrastructure. Assuming that new intrusions manifest in anomalous behaviour which cannot be foreseen, we make use of a popular unsupervised machine-learning technique called clustering.


Modelling Profiling Machine Learning IT-Security Runtime-Monitoring Anomaly Detection Clustering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA (2001)Google Scholar
  2. 2.
    Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the Twenty-Eighth Australasian Conference on Computer Science, vol. 38, pp. 333–342. Australian Computer Society, Inc. (2005)Google Scholar
  3. 3.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154. USENIX Association (2008)Google Scholar
  4. 4.
    Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 8. IEEE (2006)Google Scholar
  5. 5.
    Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Computers & Security 28(1-2), 18–28 (2009)CrossRefGoogle Scholar
  6. 6.
    OMG: Omg uml specification, v2.0 (2005)Google Scholar
  7. 7.
    Breu, R., Innerhofer-Oberperfler, F., Yautsiukhin, A.: Quantitative assessment of enterprise security system. In: The Third International Conference on Availability, Reliability and Security, pp. 921–928. IEEE (2008)Google Scholar
  8. 8.
    Innerhofer-Oberperfler, F., Breu, R., Hafner, M.: Living security – collaborative security management in a changing world. In: Parallel and Distributed Computing and Networks/720: Software Engineering. ACTA Press (2011)Google Scholar
  9. 9.
    Breu, R.: Ten principles for living models-a manifesto of change-driven software engineering. In: 2010 International Conference on Complex, Intelligent and Software Intensive Systems, pp. 1–8. IEEE (2010)Google Scholar
  10. 10.
    Berre, A.: Service oriented architecture modeling language (soaml)-specification for the uml profile and metamodel for services (upms) (2008)Google Scholar
  11. 11.
    Popescu, V., Smith, V., Pandit, B.: Service modeling language, version 1.1. W3C recommendation, W3C (May 2009),
  12. 12.
    van der Aalst, W.: Formalization and verification of event-driven process chains. Information and Software Technology 41(10), 639–650 (1999)CrossRefGoogle Scholar
  13. 13.
    Mulo, E., Zdun, U., Dustdar, S.: Monitoring web service event trails for business compliance. In: 2009 IEEE International Conference on Service-Oriented Computing and Applications, SOCA, pp. 1–8. IEEE (2009)Google Scholar
  14. 14.
    Baresi, L., Guinea, S., Plebani, P.: WS-Policy for Service Monitoring. In: Bussler, C.J., Shan, M.-C. (eds.) TES 2005. LNCS, vol. 3811, pp. 72–83. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Erradi, A., Maheshwari, P., Tosic, V.: WS-Policy based monitoring of composite web services (2007)Google Scholar
  16. 16.
    Oldmeadow, J., Ravinutala, S., Leckie, C.: Adaptive Clustering for Network Intrusion Detection. In: Dai, H., Srikant, R., Zhang, C. (eds.) PAKDD 2004. LNCS (LNAI), vol. 3056, pp. 255–259. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2(1), 65–104 (1999)CrossRefGoogle Scholar
  18. 18.
    Godik, S., Moses, T. (eds.): eXtensible Access Control Markup Language (XACML) Version 1.0 (February 2003)Google Scholar
  19. 19.
    Walker-Morgan, D.: Vsftpd backdoor discovered in source code. Website (2011), (visited: July 4, 2011)
  20. 20.
    Hoglund, G., Butler, J.: Rootkits: subverting the Windows kernel. Addison-Wesley Professional (2006)Google Scholar
  21. 21.
    Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly (2004)Google Scholar
  22. 22.
    Wells, J.: Computer fraud casebook: the bytes that bite. John Wiley & Sons Inc. (2008)Google Scholar
  23. 23.
    Kozen, D.: Automata and computability. Springer (1997)Google Scholar
  24. 24.
    McClure, S., Scambray, J., Kurtz, G.: Hacking exposed 6. McGraw-Hill (2009)Google Scholar
  25. 25.
    Allman, M., Paxson, V., Stevens, W.: RFC 2581 (rfc2581) - TCP Congestion Control. Technical Report 2581 (1999)Google Scholar
  26. 26.
    Tan, P., Steinbach, M., Kumar, V.: Cluster Analysis: basic concepts and algorithms. In: Introduction to Data Mining. Addison-Wensley (2006)Google Scholar
  27. 27.
    OMG: Omg xmi specification, v1.2 (2002)Google Scholar
  28. 28.
    Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 251–261. ACM (2003)Google Scholar
  29. 29.
    Leitner, P., Wetzstein, B., Karastoyanova, D., Hummer, W., Dustdar, S., Leymann, F.: Preventing SLA Violations in Service Compositions Using Aspect-Based Fragment Substitution. In: Maglio, P.P., Weske, M., Yang, J., Fantinato, M. (eds.) ICSOC 2010. LNCS, vol. 6470, pp. 365–380. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Nicolett, M., Litan, A., Proctor, P.E.: Pattern Discovery With Security Monitoring and Fraud Detection Techniques (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Matthias Gander
    • 1
  • Basel Katt
    • 1
  • Michael Felderer
    • 1
  • Ruth Breu
    • 1
  1. 1.Institute of Computer ScienceUniversity of InnsbruckAustria

Personalised recommendations