3,983 research outputs found
Querying Streaming System Monitoring Data for Enterprise System Anomaly Detection
The need for countering Advanced Persistent Threat (APT) attacks has led to
the solutions that ubiquitously monitor system activities in each enterprise
host, and perform timely abnormal system behavior detection over the stream of
monitoring data. However, existing stream-based solutions lack explicit
language constructs for expressing anomaly models that capture abnormal system
behaviors, thus facing challenges in incorporating expert knowledge to perform
timely anomaly detection over the large-scale monitoring data. To address these
limitations, we build SAQL, a novel stream-based query system that takes as
input, a real-time event feed aggregated from multiple hosts in an enterprise,
and provides an anomaly query engine that queries the event feed to identify
abnormal behaviors based on the specified anomaly models. SAQL provides a
domain-specific query language, Stream-based Anomaly Query Language (SAQL),
that uniquely integrates critical primitives for expressing major types of
anomaly models. In the demo, we aim to show the complete usage scenario of SAQL
by (1) performing an APT attack in a controlled environment, and (2) using SAQL
to detect the abnormal behaviors in real time by querying the collected stream
of system monitoring data that contains the attack traces. The audience will
have the option to interact with the system and detect the attack footprints in
real time via issuing queries and checking the query results through a
command-line UI.Comment: Accepted paper at ICDE 2020 demonstrations track. arXiv admin note:
text overlap with arXiv:1806.0933
Optimal Elephant Flow Detection
Monitoring the traffic volumes of elephant flows, including the total byte
count per flow, is a fundamental capability for online network measurements. We
present an asymptotically optimal algorithm for solving this problem in terms
of both space and time complexity. This improves on previous approaches, which
can only count the number of packets in constant time. We evaluate our work on
real packet traces, demonstrating an up to X2.5 speedup compared to the best
alternative.Comment: Accepted to IEEE INFOCOM 201
Using learned action models in execution monitoring
Planners reason with abstracted models of the behaviours they use to construct plans. When plans are turned into the instructions that drive an executive, the real behaviours interacting with the unpredictable uncertainties of the environment can lead to failure. One of the challenges for intelligent autonomy is to recognise when the actual execution of a behaviour has diverged so far from the expected behaviour that it can be considered to be a failure. In this paper we present further developments of the work described in (Fox et al. 2006), where models of behaviours were learned as Hidden Markov Models. Execution of behaviours is monitored by tracking the most likely trajectory through such a learned model, while possible failures in execution are identified as deviations from common patterns of trajectories within the learned models. We present results for our experiments with a model learned for a robot behaviour
Detecting execution failures using learned action models
Planners reason with abstracted models of the behaviours they use to construct plans. When plans are turned into the instructions that drive an executive, the real behaviours interacting with the unpredictable uncertainties of the environment can lead to failure. One of the challenges for intelligent autonomy is to recognise when the actual execution of a behaviour has diverged so far from the expected behaviour that it can be considered to be a failure. In this paper we present an approach by which a trace of the execution of a behaviour is monitored by tracking its most likely explanation through a learned model of how the behaviour is normally executed. In this way, possible failures are identified as deviations from common patterns of the execution of the behaviour. We perform an experiment in which we inject errors into the behaviour of a robot performing a particular task, and explore how well a learned model of the task can detect where these errors occur
Online anomaly detection using statistical leverage for streaming business process events
While several techniques for detecting trace-level anomalies in event logs in
offline settings have appeared recently in the literature, such techniques are
currently lacking for online settings. Event log anomaly detection in online
settings can be crucial for discovering anomalies in process execution as soon
as they occur and, consequently, allowing to promptly take early corrective
actions. This paper describes a novel approach to event log anomaly detection
on event streams that uses statistical leverage. Leverage has been used
extensively in statistics to develop measures to identify outliers and it has
been adapted in this paper to the specific scenario of event stream data. The
proposed approach has been evaluated on both artificial and real event streams.Comment: 12 pages, 4 figures, conference (Proceedings of the 1st International
Workshop on Streaming Analytics for Process Mining (SA4PM 2020) in
conjunction with International Conference on Process Mining, Accepted for
publication (Sep 2020)
Shadow Honeypots
We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a "shadow honeypot" to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production") instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives
- …