Information Technology Reference
In-Depth Information
in the behaviour of
U,S,
and
M
0
..n
. These are, more queries in
U
's name, more
queries spread to machines
M
0
..n
, more queries at unusual hours for
S
by
U
,and
at the end, a detectable change of the workflow behaviour itself. The profiles are
further refined into, an
immediate, hourly
,and
monthly
track.
i To perform an on-line analysis of individual service events, CEP is used. CEP
alerts have an immediate impact on the immediate track as well as statistical
information gathered from the event itself, i.e. z-scores from parameters,
duration, and the payload.
ii An hourly track allows to aggregate some more information about hourly
deviances, for instance, the average number of calls for a service, the number
of its users, average call duration, extreme values such as maximum duration
and minimum duration, the number of alerts produced by the immediate
track during selected hours, and more.
iii To assess more subtle patterns of deviance, a longer time-period is needed.
To give an example consider the following scenario of a persistent attack. A
competing company or government managed to break into the system and
hides its activities of espionage, e.g., by leaking of sensitive documents, in
form of an insider attack. For this, the real attackers stole the credentials
of some user
U
to gradually query more and more documents, for instance
creating 2-3% more queries per day (hour) than was normal. The immediate
and hourly track are not built to detect such subtle aberrations and, hence,
fail to detect them. The comparison of absolute access numbers over, for
instance a monthly basis, shows a huge increase of query activity.
Information from the hourly (
h
) and monthly (
m
) track of an entity is rep-
resented by fingerprints (
F
h
,F
m
) and represent, hence, a measure of the overall
behaviour of the selected entity (
e
). Fingerprints are basically feature vectors
v
i
=(
v
i
0
,...,v
in−
1
), containing continuous data. Fingerprints contain for in-
stance, the number of CEP alerts in an hour, the number of alerts raised from
immediate profiles, or z-score outliers. Our framework uses these fingerprints to
compare its behaviour to other entities' behaviours but also to measure potential
deviances of its own behaviour over time.
2.4 Clustering Fingerprints for Anomaly Detection
To determine abnormal entities in relation to other entities of the same type it
is necessary to compare individual features of a profile and attain a sense of dis-
tance. Since individual characteristics of a profile might not change suciently
to determine that an entity is an anomaly, we take into consideration all of the
individual features that were collected. To take all features into consideration
clustering can be used [21]. Clustering makes use of the inherent structure of
data and groups data instances (clustering) by common attributes and a simi-
larity measure. After the outliers have been found, the model can then be used
to further link entities and detect correlations among outlying users, and, for
instance, services. Figure 2 summarizes how the layers are related.
Search WWH ::
Custom Search