%0 Conference Proceedings
%T An Efficient and Scalable Intrusion Detection System on Logs of Distributed Applications
%+ Confidentialité, Intégrité, Disponibilité et Répartition (CIDRE)
%+ SUPELEC-Campus Rennes
%+ Universidade Federal do Paraná - Letras (UFPR Letras)
%A Lanoe, David
%A Hurfin, Michel
%A Totel, Eric
%A Maziero, Carlos
%Z Part 1: Intrusion Detection
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B SEC 2019 - 34th IFIP International Conference on ICT Systems Security and Privacy Protection
%C Lisbonne, Portugal
%Y Gurpreet Dhillon
%Y Fredrik Karlsson
%Y Karin Hedström
%Y André Zúquete
%I Springer
%3 ICT Systems Security and Privacy Protection
%V AICT-562
%P 49-63
%8 2019-06-25
%D 2019
%R 10.1007/978-3-030-22312-0_4
%Z Computer Science [cs]/Distributed, Parallel, and Cluster Computing [cs.DC]
%Z Computer Science [cs]/Cryptography and Security [cs.CR]Conference papers
%X Although security issues are now addressed during the development process of distributed applications, an attack may still affect the provided services or allow access to confidential data. To detect intrusions, we consider an anomaly detection mechanism which relies on a model of the monitored application's normal behavior. During a model construction phase, the application is run multiple times to observe some of its correct behaviors. Each gathered trace enables the identification of significant events and their causality relationships, without requiring the existence of a global clock. The constructed model is dual: an automaton plus a list of likely invariants. The redundancy between the two sub-models decreases when generalization techniques are applied on the automaton. Solutions already proposed suffer from scalability issues. In particular, the time needed to build the model is important and its size impacts the duration of the detection phase. The proposed solutions address these problems, while keeping a good accuracy during the detection phase, in terms of false positive and false negative rates. To evaluate them, a real distributed application and several attacks against the service are considered.
%G English
%Z TC 11
%2 https://inria.hal.science/hal-02409487/document
%2 https://inria.hal.science/hal-02409487/file/IFIPSEC-Hal-Inria.pdf
%L hal-02409487
%U https://inria.hal.science/hal-02409487
%~ UNIV-RENNES1
%~ CNRS
%~ INRIA
%~ UNIV-UBS
%~ INSA-RENNES
%~ INRIA-RENNES
%~ IRISA
%~ IRISA_SET
%~ INRIA_TEST
%~ SUP_CIDRE
%~ TESTALAIN1
%~ IFIP
%~ IFIP-AICT
%~ CENTRALESUPELEC
%~ INRIA2
%~ IFIP-TC
%~ IFIP-TC11
%~ UR1-HAL
%~ IFIP-SEC
%~ UR1-MATH-STIC
%~ UNIV-PARIS-SACLAY
%~ UR1-UFR-ISTIC
%~ CENTRALESUPELEC-SACLAY
%~ TEST-UR-CSS
%~ CENTRALESUPELEC-SACLAY-VP
%~ UNIV-RENNES
%~ INRIA-RENGRE
%~ INRIA-300009
%~ UR1-MATH-NUM
%~ IFIP-AICT-562