Home


Project Overview

Our Publications


Personnel


Reference Shelf


Links


Data


Private


News

An Event-Driven Hierarchical Framework for Anomaly Detection



Project Title: An Event-Driven Hierarchical Framework for Anomaly Detection

Co-PIs Involved: Stéphane Lafortune and Demosthenis Teneketzis,
Professors, Electrical Engineering & Computer Science, University of Michigan

Students:
Olivier Contant, Ph.D. Electrical Engineering & Computer Science, University of Michigan (2005)
Patrick Macnamara, B.S. Computer Engineering, EECS, University of Michigan (2006)

Project Description

The modular strategy for internetwork monitoring is a hierarchical structure of Data Aggregation and Filtering Modules (DAFMs) based on a combination of spatio-temporal models and event-driven models, as shown in Fig. 1. Each level in the hierarchy corresponds to different aggregations of nodes. At the first level, the DAFMs monitor traffic flows using spatio-temporal models. They issue alerts and alarms based on the result of their online traffic analysis using network tomography techniques. At the levels above, event-driven models are used to perform modular diagnosis and distributed detection. Each intermediate level is a cluster of nodes at the level below. We assume two-way communication between any DAFM and its upper and lower hierarchical levels. Two DAFMs at the same level communicate via their upper level DES in the hierarchy. Network nodes that report to the lowest level of DAFMs can be either a single host, a single router, or a cluster of hosts or routers. The DAFMs at any level generate three different types of alerts: (i) a message to the upper level DAFM to report an alert at its level, e.g., the DAFM informs that its LAN is under attack with a set of specifications; (ii) a message to its lower (respectively, upper) level to forward a report coming from the upper (respectively, lower) level, e.g., an upper level DAFM receives an alert from one of its lower level DAFMs and reports the information to neighboring DAFMs; and (iii) a message to a particular DAFM below to request a deeper analysis at that node. These requests include priority levels, which are based on their threat levels and determined using decision making tools.
In order to support the requirements of the above architecture, a modular strategy for fault detection and isolation using event-driven models is being developed. The approach is based on the theory of fault diagnosis for discrete event systems. Two key contributions are: (i) novel notion of modular diagnosability and (ii) a computationally efficient algorithm for verifying modular diagnosability. Figure 2 shows the decision logic of the verification process. Our preliminary results so far will be presented at WODES'04 [1].
Hierarchical Anomaly Detection Framework
Fig.1 : Hierarchical Anomaly Detection Framework
Modular Diagnosability Verification
Fig.2 : Modular Diagnosability Verification

References

1. O. Contant (Teneketzis and Lafortune joint advisors), “On monitoring and diagnosing classes of discrete event systems”, PhD Thesis, Dept. EECS, University of Michigan, May 2005

2. O. Contant, S. Lafortune, and D. Teneketzis, “Diagnosis of Modular Discrete Event Systems”, accepted to 2004 International Workshop on Discrete Event Systems - WODES’04, September 2004.

3. O. Contant, S. Lafortune, and D. Teneketzis, “Diagnosis of Discrete Event Systems with Modular Structure”, Discrete Event Dynamic Systems: Theory and Applications, Vol. 16, No. 1, January 2006, pp. 9-37

4. P. Macnamara, “Correlation and Classification of Internet Traffic Anomalies”, Technical Report, Department of EECS, University of Michigan, August 2005

5. O. Contant, P. Macnamara, S. Lafortune, and D. Teneketzis, "A Hierarchical Framework for Classifying and Assessing Internet Traffic Anomalies", U. of Michigan Tech. Report CGR 07-13, November 2007.


Links

UM Discrete-Event Systems Group Website