Inferring a Distributed Application Behavior Model for Anomaly Based Intrusion Detection

Eric Totel 1 Mouna Hkimi 1 Michel Hurfin 1 Mourad Leslous 1 Yvan Labiche 2
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
Abstract : As distributed computations become more and more common in highly distributed environments like the cloud, intrusion detection systems have to follow these paradigms. Anomaly based intrusion detection systems in distributed sys- tems usually rely on a total order of the observed events. However, such hypothesis is often too strong, as in a highly distributed environment the order of the observed events is partially unknown. This paper demonstrates it is possible to infer a distributed application behavior model for intrusion detection, relying only on event partial ordering. The originality of the proposed approach is to tackle the problem by combining two types of models that are usually used separately: an automaton modeling the distributed computation, and a list of temporal properties that the computation must comply with. Finally, we apply the approach on two examples, and assess the method on a real distributed application.
Type de document :
Communication dans un congrès
12th European Dependable Computing Conference , Sep 2016, Gothenburg, Sweden. Proceedings of the 12th European Dependable Computing Conference 〈http://edcc2016.eu/〉
Liste complète des métadonnées

https://hal.inria.fr/hal-01334596
Contributeur : Eric Totel <>
Soumis le : mardi 21 juin 2016 - 09:24:19
Dernière modification le : mercredi 11 avril 2018 - 02:00:53

Identifiants

  • HAL Id : hal-01334596, version 1

Citation

Eric Totel, Mouna Hkimi, Michel Hurfin, Mourad Leslous, Yvan Labiche. Inferring a Distributed Application Behavior Model for Anomaly Based Intrusion Detection. 12th European Dependable Computing Conference , Sep 2016, Gothenburg, Sweden. Proceedings of the 12th European Dependable Computing Conference 〈http://edcc2016.eu/〉. 〈hal-01334596〉

Partager

Métriques

Consultations de la notice

478