Identifying the provenance of correlated anomalies

Authors:
Dawood Tariq;Basim Baig;Ashish Gehani;Salman Mahmood;Rashid Tahir;Azeem Aqil;Fareed Zaffar
Affiliations:
SRI International, Menlo Park, CA;SRI International, Menlo Park, CA;SRI International, Menlo Park, CA;Lahore University of Management Sciences, Lahore, Punjab, Pakistan;Lahore University of Management Sciences, Lahore, Punjab, Pakistan;Lahore University of Management Sciences, Lahore, Punjab, Pakistan;Lahore University of Management Sciences, Lahore, Punjab, Pakistan
Venue:
Proceedings of the 2011 ACM Symposium on Applied Computing
Year:
2011

Citing 14
Cited 0

Summary cache: a scalable wide-area web cache sharing protocol

IEEE/ACM Transactions on Networking (TON)
Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
SETI@HOME—massively distributed computing for SETI

Computing in Science and Engineering
BOINC: A System for Public-Resource Computing and Storage

GRID '04 Proceedings of the 5th IEEE/ACM International Workshop on Grid Computing
The Anatomy of the Grid: Enabling Scalable Virtual Organizations

International Journal of High Performance Computing Applications
Provenance-Aware Tracing ofWorm Break-in and Contaminations: A Process Coloring Approach

ICDCS '06 Proceedings of the 26th IEEE International Conference on Distributed Computing Systems
Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms

Proceedings of the 4th ACM workshop on Recurring malcode
Minos: Architectural support for protecting control data

ACM Transactions on Architecture and Code Optimization (TACO)
Practical taint-based protection using demand emulation

Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006
Intrusion detection using sequences of system calls

Journal of Computer Security
Eudaemon: involuntary and on-demand emulation against zero-day exploits

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Dynamic spyware analysis

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Community epidemic detection using time-correlated anomalies

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Application communities: using monoculture for dependability

HotDep'05 Proceedings of the First conference on Hot topics in system dependability

Quantified Score

Hi-index	0.00

Visualization

Abstract

Identifying when anomalous activity is correlated in a distributed system is useful for a range of applications from intrusion detection to tracking quality of service. The more specific the logs, the more precise the analysis they allow. However, collecting detailed logs from across a distributed system can deluge the network fabric. We present an architecture that allows fine-grained auditing on individual hosts, space-efficient representation of anomalous activity that can be centrally correlated, and tracing anomalies back to individual files and processes in the system. A key contribution is the design of an anomaly-provenance bridge that allows opaque digests of anomalies to be mapped back to their associated provenance.