A distributed system is often build up of many other systems, like operating systems and networks. A system can be monitored and often you may see unormal activity. Any unormal activity may often be an indication that the system is in an unfortunate state, which can be a result of an intended or non-intended action.
An action which takes a system into a different, unfortunate state, will not be a normal action. These action should therefore be detectable. Models for this should, as precise as possible, be able to distinguish what is normal, so that false error messages is at kept at an minimum. These articles gives an introduction to different models and parameters which can be used to detect anomalous behavior in distributed systems.
Handout of the two hours presentation can be found here: 1 pr. page (256k) or 4 pr. page (5.5M).
| [Den87] |
Dorothy E. Denning.
An intrusion-detection model.
IEEE Transactions on Software Engineering, 13(2):222-232,
February 1987. [ Pdf ] |
| [GMS00] |
Anup K. Ghosh, Christopher Michael, and Michael Schatz.
A real-time intrusion detection system based on learning program
behaviour.
proceedings Recent Advances in Intrusion Detection 2000,
October 2000. [ Pdf ] |
| [HCPZ00] |
L. Lawrence Ho, David J. Cavuto, Symeon Papavassiliou, and Anthony G.
Zawadziki.
Adaptive and automated detection of service anomalies in
transaction-oriented wan's: Network analysis, algorithms, implementation and
deployment.
IEEE Journal of selected areas of communication, 18(5), May
2000. [ Pdf ] |
| [HFS98] |
Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji.
Intrusion detection using sequences of system calls.
Journal of Computer Security, 6(3):151-180, 1998. [ Pdf ] |
| [LJ88] |
Teresa F. Lunt and R. Jagannathan.
A prototype real-time intrusion-detection expert system.
in proceedings IEEE Symposium on Security and Privacy, pages
2-10, 1988. [ Pdf ] |
| [LSC+01] |
Wenke Lee, Salvatore J. Stolfo, Philip K. Chan, Eleazar Eskin, Wei Fan, Matthew
Miller, Shlomo Hershkop, and Junxin Zhang.
Real time data mining-based intrusion detection.
proceedings DISEC '01, 2001. [ Pdf ] |
| [TCL90] |
Henry S. Teng, Kaihu Chen, and Stephen Lu.
Adaptive real-time anomaly detection using inductively generated
sequential pattern.
IEEE Symposium on Security and Privacy 1990, pages 278-284,
1990. [ Pdf ] |
| [TL03] |
Steven Templeton and Karl E. Levitt.
Detecting spoofed packets.
proceedings DISEX '03, 2003. [ Pdf ] |
| [Val03] |
Alfonos Valdes.
Detecting novel scans through pattern anomaly detection.
proceedings DISEX '03, 2003. [ Pdf ] |
| [VS00] |
Alfonso Valdes and Keith Skinner.
Adaptive, model-based monitoring for cyber attack detection.
proceedings Recent Advances in Intrusion Detection 2000, 2000. [ Pdf ] |
| [WD01] |
David Wagner and Drew Dean.
Intrusion detection via static analysis.
IEEE Symposium on Security and Privacy 2001, 2001. [ Pdf ] |