Inferring a Distributed Application Behavior Model for Anomaly Based Intrusion Detection

As distributed computations become more and more common in highly distributed environments like the cloud, intrusion detection systems have to follow these paradigms. Anomaly based intrusion detection systems in distributed systems usually rely on a total order of the observed events. However, such hypothesis is often too strong, as in a highly distributed environment the order of the observed events is partially unknown. This paper demonstrates it is possible to infer a distributed application behavior model for intrusion detection, relying only on a partial ordering of events. The originality of the proposed approach is to tackle the problem by combining two types of models that are usually used separately: an automaton modeling the distributed computation, and a list of temporal properties that the computation must comply with. Finally, we apply the approach on two examples, and assess the method on a real distributed application.