Application of the Complex Event Processing system for anomaly detection and network monitoring

• Autorzy: Frankowski G. , Jerzak M. , Miłostan M. , Nowak T. , Pawłowski M.

Identyfikatory

DOI

10.7494/csci.2015.16.4.351

• Języki publikacji: EN

Abstrakty

EN

Protection of infrastructures for e-science, including grid environments and NREN facilities, requires the use of novel techniques for anomaly detection and network monitoring. The aim is to raise situational awareness and provide early warning capabilities. The main operational problem that most network operators face is integrating and processing data from multiple sensors and systems placed at critical points of the infrastructure. From a scientific point of view, there is a need for the efficient analysis of large data volumes and automatic reasoning while minimizing detection errors. In this article, we describe two approaches to Complex Event Processing used for network monitoring and anomaly detection and introduce the ongoing SECOR project (Sensor Data Correlation Engine for Attack Detection and Support of Decision Process), supported by examples and test results. The aim is to develop methodology that allows for the construction of next-generation IDS systems with artificial intelligence, capable of performing signature-less intrusion detection.

Słowa kluczowe

EN

network monitoring; intrusion detection; anomaly detection; complex event processing

• Wydawca: Wydawnictwa AGH
• Czasopismo: Computer Science
• Rocznik: 2015
• Tom: Vol. 16 (4)
• Strony: 351--371
• Opis fizyczny: Bibliogr. 23 poz., rys., wykr., tab.

Twórcy

autor

Frankowski G.

• Poznań Supercomputing and Networking Center, Institute of Bioorganic Chemistry, Noskowskiego 10, 61-704 Poznań, Poland

autor

Jerzak M.

• Poznań Supercomputing and Networking Center, Institute of Bioorganic Chemistry, Noskowskiego 10, 61-704 Poznań, Poland

autor

Miłostan M.

• Poznań Supercomputing and Networking Center, Institute of Bioorganic Chemistry, Noskowskiego 10, 61-704 Poznań, Poland
• Institute of Computing Science, Poznań University of Technology, Piotrowo 2, 60-965 Poznań, Poland

autor

Nowak T.

• Poznań Supercomputing and Networking Center, Institute of Bioorganic Chemistry, Noskowskiego 10, 61-704 Poznań, Poland

autor

Pawłowski M.

• Poznań Supercomputing and Networking Center, Institute of Bioorganic Chemistry, Noskowskiego 10, 61-704 Poznań, Poland

Bibliografia

• [1] Balis B., Kowalewski B., Bubak M.: Leveraging Complex Event Processing for Grid Monitoring. In: Parallel Processing and Applied Mathematics , R. Wyrzykowski, J. Dongarra, K. Karczewski, J. Wasniewski, eds, Lecture Notes in Computer Science , vol. 6068, pp. 224–233. Springer, Berlin-Heidelberg, 2010. http://dx.doi.org/10.1007/978-3-642-14403-5_24 .
• [2] Balis B., Kowalewski B., Bubak M.: Real-time Grid monitoring based on complex event processing. Future Generation Computer Systems , vol. 27(8), pp. 1103–1112, 2011. http://www.sciencedirect.com/science/article/pii/ S0167739X11000562 .
• [3] Bereziński P., Pawelec J., Małowidzki M., Piotrowski R.: Entropy-Based In- ternet Traffic Anomaly Detection: A Case Study. In: Proceedings of the Ninth International Conference on Dependability and Complex Systems DepCoS- RELCOMEX. June 30 – July 4, 2014, Brunów, Poland , Advances in Intelligent Systems and Computing , W. Zamojski, J. Mazurkiewicz, J. Sugier, T. Walkowiak, J. Kacprzyk, eds, vol. 286, pp. 47–58. Springer International Publishing, 2014. http://dx.doi.org/10.1007/978-3-319-07013-1_5 . 21 grudnia 2015 str. 19/21 Application of the Complex Event Processing system for anomaly detection (...) 369
• [4] Bilge L., Dumitras T.: Before We Knew It: An Empirical Study of Zero-Day At- tacks In The Real World. Proceedings of the 2012 ACM conference on Computer and communications security , pp. 833–844, 2012. http://users.ece.cmu.edu/ ~tdumitra/public_documents/bilge12_zero_day.pdf .
• [5] EGEE – Enabling Grids for E-sciencE, 2010. http://eu-egee.org .
• [6] Frankowski G., Jerzak M.: Advanced Architecture of the Integrated IT Platform with High Security Level. In: Multimedia Communications, Services and Security , Communications in Computer and Information Science , A. Dziech, A. Czyżewski, eds, vol. 287, pp. 107–117. Springer, Berlin-Heidelberg, 2012. http://dx.doi.org/10.1007/978-3-642-30721-8_11 .
• [7] G ́ EANT: the pan-European research and education network, 2014. http://www.geant.net .
• [8] Holzschuher F., Peinl R.: Performance of Graph Query Languages: Comparison of Cypher, Gremlin and Native Access in Neo4J. In: Proceedings of the Joint EDBT/ICDT 2013 Workshops , EDBT ’13, pp. 195–204. ACM, New York, NY, USA, 2013. http://doi.acm.org/10.1145/2457317.2457351 .
• [9] Jerzak M., Wojtysiak M.: Distributed Intrusion Detection Systems – MetalDS case study. Computational Methods in Science and Technology , Special Issue (1), pp. 135–145, 2010.
• [10] Kliarsky A., Atlasis A.A.: Responding to Zero Day Threats, 2011. http://www.sans.org/reading-room/whitepapers/incident/responding- zero-day-threats-33709 .
• [11] Li B., Springer J., Bebis G., Gunes M.H.: A survey of network flow applications. Journal of Network and Computer Applications , vol. 36(2), pp. 567–581, 2013. http://www.sciencedirect.com/science/article/pii/S1084804512002676 .
• [12] Lodi G., Aniello L., Luna G.A.D., Baldoni R.: An event-based platform for colla- borative threats detection and monitoring. Inf. Syst. , vol. 39, pp. 175–195, 2014. http://dblp.uni-trier.de/db/journals/is/is39.html#LodiALB14 .
• [13] Neo4j: Neo4j – The World’s Leading Graph Database, 2012. http://neo4j.org/ .
• [14] Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Signi- ficant, 2014. http://www.nytimes.com/2014/09/26/technology/security- experts-expect-shellshock-software-bug-to-be-significant.html .
• [15] PIONIER, 2014. http://www.pionier.net.pl .
• [16] Polish Platform for Homeland Security, 2014. http://www.ppbw.pl/en .
• [17] Poznań Supercomputing and Networking Center, 2014. http://www.psnc.pl .
• [18] Robinson I., Webber J., Eifrem E.: Graph Databases . O’Reilly Media, Inc., 2013.
• [19] Storm, Distributed and fault-tolerant realtime computation, 2014. http://storm.apache.org .
• [20] Symantec Corporation: Internet Security Threat Report 2014, 2014. http://www.symantec.com/content/en/us/enterprise/other_resources/ b-istr_main_report_v19_21291018.en-us.pdf . 21 grudnia 2015 str. 20/21 370 Gerard Frankowski, Marcin Jerzak, Maciej Miłostan, et al.
• [21] The Apache Software Foundation: mod log config: CustomLog Directive, 2014. https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#customlog .
• [22] WSO2 Carbon System, 2005. http://wso2.com/products/carbon/ .
• [23] WSO2 Siddhi CEP engine, 2005. http://siddhi.sourceforge.net/ .