Information Technology Reference
In-Depth Information
-
Anomalies.
An increase of service activity, service calls at unusual hours,
abnormal users, detectable by a gradually increasing number of document
requests, suspiciously active hosts, but also a change in flow behavior of
service calls and network hosts (i.e. payload analysis of web-service parame-
ters). The entities, services, users, hosts, workflows, constituting the unusual
behaviour are labeled as anomaly.
The paper will continue with a description of the framework in Section 2, in-
cluding the DSL 2.1, the usage of CEP 2.2, profiling entities 2.3 and anomaly
detection via fingerprints 2.4. Section 3 depicts the used architecture and Sec-
tions 5 and 4 discuss future work and related work respectively.
2 Framework Overview
In this section we discuss the framework in more detail. We begin with the
DSL to specify the IT infrastructure consisting of workflows, services, hosts,
users, and their relations. This in turn leads to the discussion of how CEP is
included in the framework. Afterwards our discussion will continue with details
about the profiling of entities for anomaly detection purposes, i.e. discuss the
different profiles, the features for fingerprints, the clustering method and distance
measure, and round it up with a description of the architecture.
Every monitoring system needs events to determine the actual state of the
system. Our framework expects events from the infrastructure, in form of TCP
and UDP packets sent from the machines in the network, and in form of ser-
vice calls. TCP and UDP packets are aggregated as flows that have multiple
characteristics, such as, source, destination, ports, time, among others, dura-
tion. Service events are used to derive the current state of the services, show
user behaviour (i.e. access requests), and give general information on the state
of workflows. Information that should be present is, the duration of a call, the
time, the user, and the object id that was requested.
2.1 A DSL for IT Landscapes
The use of metamodels or domain specific languages (DSL) is not uncommon [14,
15], their main use is to provide the vocabularyfor experts to let them express their
knowledgetorepresentthesysteminatextual
3
(orgraphical)model.Thesemodels
can later be accessed for look-ups, reasoning, and/or code generation.
Our DSL, therefore, allows the creation of a model that in turn allows harvest-
ing information of entities (i.e. traceability of deployed entities to model infor-
mation) and monitoring rule-generation. The model in Figure 1 reuses concepts
from Breu et al. [14, 15], for example the introduction of multiple conceptual
layers. The event-driven process chain paradigm [16] that is used in the model
facilitates the modeling process, since it allows to represent services through
Search WWH ::
Custom Search