Information Technology Reference
In-Depth Information
2.2 Complex Event Processing
To monitor proper execution of systems, rule-based approaches tend to be used,
i.e. in form of CEP. For CEP much research has been invested in query lan-
guages to handle the stream of events in query-based languages similar to SQL
4
,
ESPER
5
,OracleCEP
6
, Coral8
7
and Aleri
8
. In our case we need to listen for
events that are modelled beforehand, i.e. we need to listen for sequences that
represent a workflow. These sequences give all the information necessary to infer
who is responsible for certain actions. Part of our work focuses on the creation
of CEP rules automatically based on the model created by the expert. For CEP
rules the Esper Query Language (EQL)
9
in combination with the Esper CEP
engine was chosen, since it is open source (GPL GNU Public License v2.0), has
an active community and has shown potential in several benchmarks [17]. The
translation from workflow models to query rules is straight forward, since EQL
provides the same boolean logical connectives as our model and also provides the
possibility to model sequences
seq
Ev
1
is
only satisfied if and only if
Ev
0
is emmitted before
Ev
1
. In summary a workflow
model, as used for compliance detection, is nothing more than a series of CEP
rules that are verified by the CEP engine.
−−→
seq
. For instance, the formula
Ev
0
−−→
2.3 Profiling of Entities
To determine anomalies in the activity of a corporate network, the accounting
information of banks, or more general in usage behaviours, it is common to first
create a profile that describes a normal behaviour of key entities [18, 19]. The
profile types,
service, user, host,
and
workflow
, that we consider reflect the key
entities that are involved in an on-line data processing. Gartner, Inc. [20] states,
for instance, that there is the need for
user profiling
to monitor user behaviour
to prevent data theft.
Service profiles
are needed to determine, among others,
a gradual decrease of performance compared to itself or an overall different
behaviour from other services. Communication patterns among hosts also need
to be considered in form of a
host profile
. Outliers in each of these types of entities
have an impact on the performance/security of
workflows
and their activity
profile.
Assume, for instance, a compromised machine that gradually increases the
number of requests for classified object information in the name of an existing
user
U
over service
S
by using machines
M
0
..n
. Normally, this is not easy to trace,
especially if
U
has permissions to query restricted information (no CEP alerts
will be generated). A time-based analysis, though, yields detectable changes
Search WWH ::
Custom Search