Collaborating as Normal: Detecting Systemic Anomalies in Your Partner

  • Olgierd PieczulEmail author
  • Simon N. FoleyEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8809)


It is considered whether anomaly detection techniques might be used to determine potentially malicious behavior by service providers. Data mining techniques can be used to derive patterns of repeating behavior from logs of past interactions between service consumers and providers. Consumers may use these patterns to detect anomalous provider behavior, while providers may seek to adapt their behavior in ways that cannot be detected by the consumer. A challenge is deriving a behavioral model that is a sufficiently precise representation of the consumer-provider interactions. Behavioral norms, which model these patterns of behavior, are used to explore these issues in a on-line photograph sharing style service.


Anomaly Detection Behavioral Norms Online Photograph Sharing Normal Behavioral Model Malicious Providers 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This research has been partly supported by Science Foundation Ireland grant 08/SRC/11403.


  1. 1.
    van der Aalst, W.M., Weijters, T., Maruster, L.: Workflow mining: discovering process models from event logs. IEEE Trans. Knowl. Data Eng. 16(9), 1128–1142 (2004)CrossRefGoogle Scholar
  2. 2.
    Accorsi, R., Stocker, T.: Automated privacy audits based on pruning of log data. In: EDOCW 12th Enterprise Distributed Object Computing Conference Workshops, pp. 175–182 (2008)Google Scholar
  3. 3.
    Agrawal, R., Gunopulos, D., Leymann, F.: Mining process models from workflow logs. In: Schek, H.-J., Saltor, F., Ramos, I., Alonso, G. (eds.) EDBT 1998. LNCS, vol. 1377, pp. 469–483. Springer, Heidelberg (1998)Google Scholar
  4. 4.
    Bellovin, S.M.: The insider attack problem nature and scope. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security. Advances in Information Security, vol. 39, pp. 1–4. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Foley, S.: A non-functional approach to system integrity. IEEE J. Sel. Areas Commun. 21(1), 36–43 (2003)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)Google Scholar
  8. 8.
    Frank, M., Buhmann, J., Basin, D.: On the definition of role mining. In: Joshi, J.B.D., Carminati, B. (eds.) ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 35–44. ACM (2010)Google Scholar
  9. 9.
    Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (Proposed Standard) October 2012.
  10. 10.
    Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining - revealing business roles for security administration using data mining technology. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, SACMAT ’03, pp. 179–186. ACM, New York (2003)Google Scholar
  11. 11.
    Louw, M.T., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pp. 331–346. IEEE Computer Society (2009)Google Scholar
  12. 12.
    Pieczul, O., Foley, S.: Discovering emergent norms in security logs. In: 2013 IEEE Conference on Communications and Network Security (CNS - SafeConfig), pp. 438–445 (2013)Google Scholar
  13. 13.
    Ryan, P.Y.A.: Mathematical models of computer security. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pp. 378–390. ACM, New York (2012)Google Scholar
  15. 15.
    Thomas, R., Sandhu, R.: Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented autorization management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Securty XI: Status and Prospects (1998)Google Scholar
  16. 16.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, pp. 255–264. ACM, New York (2002)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Ireland Lab, IBM Software GroupDublinIreland
  2. 2.Department of Computer ScienceUniversity College CorkCorkIreland

Personalised recommendations