Information Technology Reference
In-Depth Information
emitter sources. The service sensor receives JSON
10
encoded service call data,
whereas the network monitor is built as a netflow-collector. Analysis of workflow
compliance (i.e. via CEP) and outlier detection (i.e., via Clustering) is done
in the
analysis component
. Statistical methods, i.e., z-scores are computed by
“The Apache Commons Mathematics Library”.
11
The CEP engine of choice
is ESPER
12
. Based on the outcome of the analysis and the severity of alerts,
the policy engine populates the
dashboard
and determines reactive measures for
the cloud provider (policies provided by the tenant). The dashboard displays
integral information about a tenant's infrastructure, i.e., the infrastructure in
tabular form, important alerts, and anomalous entities.
4 Related Work
In this section we discuss related work in the areas of cloud security monitoring,
anomaly detection, and CEP. In the area of cloud security monitoring several
related papers have been published, yet among those [25] seems the most related.
Vieira et al. [25] focus on distributed architectures in grid and cloud comput-
ing and perform behavioural analysis via neural networks. [25] leverage neural
networks for behavioural analysis we use clustering. Moreover the anomalies we
find are disjoint from theirs. There has been plenty of research for anomaly de-
tection via clustering, a survey on this topic is provided by [8]. Clustering is
quite versatile as the approaches in [9, 24, 10, 12] point out. Portnoy et al. [9]
detect attacks, e.g., denial of service, in the KDD 1999 data via clustering of
network activity set.
13
Gu et al. [12] use clustering for the detection of botnets
by a framework called “Botminer”. The Authors in [10] improve clustering for
NIDS by using a density-based clustering algorithm and a grid-based metric and
evaluate their efforts on the KDD 1999 data set. To measure hosts we create
profiles of their network behaviour by sampling their TCP/UDP flows based
on [26, 12]. To our knowledge, the clustering algorithm itself was first presented
in [9]. Instead of clustering individual multi-dimensional features form the KDD
training set we cluster fingerprints of various entities. The main difference from
the proposed work of Gu et al. [12] is that the former only profiles hosts for the
specific detection of botnets, whereas we only try to find outliers and assemble
outliers in a holistic profile of the infrastructure. The approach presented in [26]
is more similar to ours since it also profiles machines in the network. But we're
not restricted to machines only, but also services, users, and workflows.
The multi-tier DSL proposed in this paper allows the definition of node hier-
archies, roles, actors, and distinguishes three layers. These design decisions are
in its core similar to [14, 15]. Breu and Innerhofer et al. provide a model-based
approach with concepts for security management. There is related work for DSLs
2012.
Search WWH ::
Custom Search