Information Technology Reference
In-Depth Information
to create service infrastructures Berre et al. [27] present the
Service Oriented Ar-
chitecture Modeling Language (SoaML)
and Popescu et al. provide the
Service
Markup Language
SML. SoaML was not desireable for our scenario, since our in-
terest was more cloud oriented than SOA-centric. Our DSL allows the definition
of event-sequences, which in turn allow to detect deviances to rules generated
by the workflow model. The paradigm of modeling services as events is simi-
lar to event-driven process chains (EPC), discussed in-depth in [28]. Workflow
compliance in SOA via CEP has been discussed by Mulo et al. [16]. A service
invocation is regarded as an event and business process activities as event-trails.
These event-trails guide the creation of queries which a CEP engine uses to
identify and monitor business activities. Anomaly detection itself has been done
frequently in many domains, though to the best of our knowledge, there is no
cloud monitoring approach that allows CEP and anomaly detection to monitor
(a) the execution of workflows for semantic gaps and (b) detect infrastructure
anomalies relative to said workflows. Due to the formal representation of “be-
haviour” of entities we're able to pinpoint suspicious services, users, hosts, and
workflows.
5 Conclusion and Future Work
We have sketched a context-based anomaly detection framework to facilitate
real-time monitoring of cloud-sourced workflows and infrastructures. Our re-
search differs from existing monitoring work as we aim to mitigate cloud threat-
scenarios with web services and infrastructure anomaly detection, and CEP. The
framework aims to keep multiple profiles of entities on various layers and to link
detected anomalies and semantic gaps to workflows. Future work will consist of,
-
An implementation and an evaluation based on a real-world scenario. The
planned evaluation will consist of a real-life healthcare scenario where ser-
vices, data, and hosts, are outsourced to an IaaS cloud. The architecture
consists of all services necessary to allow a regulated flow of action in a
hospital, e.g., image retrieval services, diagnose services, and an XACML-
Kerberos like access control infrastructure. Based on the runtime behaviour
of the system we train our machine-learning component and measure de-
viations of user- and network-activity. To measure the effectiveness of our
approach the healthcare architecture will be subject to various use cases/at-
tacks, i.e., a failed XACML architecture, leak attacks from insiders, fuzzy
security-testing of web-services from other tenants, or TCP/UDP malware
propagation across the cloud. The evaluation will show if the anomaly de-
tection can provide information about these attacks.
-
Carefully evaluating other clustering methods, e.g., Entropy Maximization,
to reduce false-positives and attain a better clustering result.
-
A CEP rule repository to further allow the reduction of false-positives with
domain knowledge, detect additional signature-based events to augment the
profiles for entities in general. Along the way goes the inclusion of other
Search WWH ::
Custom Search