Monitoring Anomalies in IT-Landscapes Using Clustering Techniques and Complex Event Processing

  • Matthias Gander
  • Michael Felderer
  • Basel Katt
  • Ruth Breu
Part of the Communications in Computer and Information Science book series (CCIS, volume 336)


Monitoring the behavior of IT-landscapes is the basis for the detection of breaches of non-functional requirements like security. Established methods, such as signature-based monitoring extract features from data instances and compare them to features of the signature database. However, signature-based monitoring techniques have an intrinsic limitation concerning unseen instances of aberrations (or attacks) because new instances have features which are not yet recognized in the signature database. Therefore, anomaly detection has been introduced to automatically detect non-conforming patterns in data. Unfortunately, it is often prohibitively hard to attain labeled training data to employ supervised-learning based approaches. Hence, the application of nonsupervised techniques such as clustering became popular. In this paper, we apply complex event processing rules and clustering techniques leveraging models of an IT-landscape considering workflows, services, and the network infrastructure to detect abnormal behavior. The service and infrastructure layer both have events on their own. Sequences of service events are well-defined, represent a workflow and are counter-checked via complex event processing rules. These service events however trigger infrastructure events, like database activity, and network traffic, which are not modeled. These infrastructure events are then related to the appropriate call traces and clustered among network profiles and database profiles. Outlying service events, nodes, and workflows are detected based on measured deviations to clusters. We present the main properties of our clustering-based anomaly detection approach and relate it to other techniques.


Intrusion Detection Anomaly Detection Patient Medical Record Service Call Policy Decision Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges. Computers & Security 28(1-2), 18–28 (2009)CrossRefGoogle Scholar
  2. 2.
    Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (2001)Google Scholar
  3. 3.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)Google Scholar
  4. 4.
    Eckert, M., Bry, F.: Complex Event Processing, CEP (2009)Google Scholar
  5. 5.
    OMG: Omg uml specification, v2.0 (2005)Google Scholar
  6. 6.
    Moses, T.: eXtensible Access Control Markup Language TC v2.0 (XACML) (2005)Google Scholar
  7. 7.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2(1), 65–104 (1999)CrossRefGoogle Scholar
  8. 8.
    Walker-Morgan, D.: Vsftpd backdoor discovered in source code. Website (2011), (accessed: July 20, 2012)
  9. 9.
    Hoglund, G., Butler, J.: Rootkits: subverting the Windows kernel. Addison-Wesley Professional (2006)Google Scholar
  10. 10.
    Peikari, C., Chuvakin, A.: Security Warrior. O’Reilly (2004)Google Scholar
  11. 11.
    Wells, J.: Computer fraud casebook: the bytes that bite. John Wiley & Sons Inc. (2008)Google Scholar
  12. 12.
    Ye, N., Emran, S.M., Chen, Q., Vilbert, S.: Multivariate Statistical Analysis of Audit Trails for Host-based Intrusion Detection. IEEE Transactions on Computers 51(7), 810–820 (2002)CrossRefGoogle Scholar
  13. 13.
    Roesch, M.: Snort: Lightweight intrusion detection for networks. In: LISA, pp. 229–238. USENIX (1999)Google Scholar
  14. 14.
    Breu, R., Innerhofer-Oberperfler, F., Yautsiukhin, A.: Quantitative assessment of enterprise security system. In: The Third International Conference on Availability, Reliability and Security, pp. 921–928. IEEE (2008)Google Scholar
  15. 15.
    Innerhofer-Oberperfler, F., Breu, R., Hafner, M.: Living security collaborative security management in a changing world. In: Parallel and Distributed Computing and Networks/720: Software Engineering. ACTA Press (2011)Google Scholar
  16. 16.
    Xtext, (accessed: July 20, 2012)
  17. 17.
    Mulo, E., Zdun, U., Dustdar, S.: Monitoring web service event trails for business compliance. In: 2009 IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–8. IEEE (2009)Google Scholar
  18. 18.
    Grohe, S., Schlameu, C., Sommer, R.: Performancevergleich von cep-engines. Technical report, Hochschulschriftenserver der Universitt Stuttgart (Germany) (2010),
  19. 19.
    McClure, S., Scambray, J., Kurtz, G.: Hacking exposed 6. McGraw-Hill (2009)Google Scholar
  20. 20.
    Allman, M., Paxson, V., Stevens, W.: RFC 2581 (rfc2581) - TCP Congestion Control. Technical Report 2581 (1999)Google Scholar
  21. 21.
    Tan, P., Steinbach, M., Kumar, V.: Cluster Analysis: basic concepts and algorithms. In: Introduction to Data Mining, Addison-Wensley (2006)Google Scholar
  22. 22.
    Hernandez-Campos, F., Nobel, A.B., Smith, F.D., Jeffay, K.: Understanding patterns of tcp connection usage with statistical clustering. In: 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, pp. 35–44. IEEE (2005)Google Scholar
  23. 23.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium, pp. 139–154 (2008)Google Scholar
  24. 24.
    Malerba, D., Esposito, F., Gioviale, V., Tamma, V.: Comparing dissimilarity measures for symbolic data analysis. In: Proceedings of Exchange of Technology and Know-how and New Techniques and Technologies for Statistics, vol. 1, pp. 473–481 (2001)Google Scholar
  25. 25.
    Oldmeadow, J., Ravinutala, S., Leckie, C.: Adaptive Clustering for Network Intrusion Detection. In: Dai, H., Srikant, R., Zhang, C. (eds.) PAKDD 2004. LNCS (LNAI), vol. 3056, pp. 255–259. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Berre, A.: Service oriented architecture modeling language (soaml)-specification for the uml profile and metamodel for services (upms) (2008)Google Scholar
  27. 27.
    Popescu, V., Smith, V., Pandit, B.: Service modeling language, version 1.1. W3C recommendation, W3C (May 2009),
  28. 28.
    van der Aalst, W.: Formalization and verification of event-driven process chains. Information and Software Technology 41(10), 639–650 (1999)CrossRefGoogle Scholar
  29. 29.
    Baresi, L., Guinea, S., Plebani, P.: WS-Policy for service monitoring. In: Technologies for E-Services, pp. 72–83 (2006)Google Scholar
  30. 30.
    Erradi, A., Maheshwari, P., Tosic, V.: WS-Policy based monitoring of composite web services (2007)Google Scholar
  31. 31.
    Leung, K., Leckie, C.: Unsupervised anomaly detection in network intrusion detection using clusters. In: Proceedings of the Twenty-eighth Australasian Conference on Computer Science, vol. 38, pp. 333–342 (2005)Google Scholar
  32. 32.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC) 6(4), 471 (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matthias Gander
    • 1
  • Michael Felderer
    • 1
  • Basel Katt
    • 1
  • Ruth Breu
    • 1
  1. 1.Institute of Computer ScienceUniversity of InnsbruckAustria

Personalised recommendations