PC conflicts

Adam Bates

Bo Li

Brad Reaves

Dimitrios Papadopoulos

Domenic Forte

Hamed Okhravi

Kevin Butler

Manuel Egele

Michael Bailey

Patrick Traynor <>

Patrick Traynor <>

Thomas Moyer

Tom Shrimpton


[PDF] Final version 1 Dec 2017 10:07:05pm EST · 02457ff227f163ab02d82ad46bbbb50d817f084c73ed94ec0f60734a1985aa6f02457ff2

[PDF] Submission version

Investigating the nature of system intrusions in large distributed systems remains a notoriously difficult challenge. While monitoring tools (e.g., Firewalls, IDS) provide preliminary alerts through easy-to-use administrative interfaces, attack reconstruction still requires that administrators sift through gigabytes of system audit logs stored locally on hundreds of machines. At present, two fundamental obstacles prevent synergy between system-layer auditing and modern cluster monitoring tools: 1) the sheer volume of audit data generated in a data center is prohibitively costly to transmit to a central node, and 2) system- layer auditing poses a “needle-in-a-haystack” problem, such that hundreds of employee hours may be required to diagnose a single intrusion. This paper presents Winnower, a scalable system for audit- based cluster monitoring that addresses these challenges. Our key insight is that, for tasks that are replicated across nodes in a distributed application, a model can be defined over audit logs to succinctly summarize the behavior of many nodes, thus eliminating the need to transmit redundant audit records to a central monitoring node. Specifically, Winnower parses audit records into provenance graphs that describe the actions of individual nodes, then performs grammatical inference over individual graphs using a novel adaptation of Deterministic Finite Automata (DFA) Learning to produce a behavioral model of many nodes at once. This provenance model can be efficiently transmitted to a central node and used to identify anomalous events in the cluster. We have implement Winnower for Docker Swarm container clusters, and evaluate our system against real-world applications and attacks. We show that Winnower dramatically reduces storage and network overhead associated with aggregating system audit logs, by as much as 98%, without sacrificing the important information needed for attack investigation. Winnower thus represents a significant step forward for security monitoring in distributed systems.
W. Hassan, M. Lemay, N. Aguse, A. Bates, T. Moyer [details]

Wajih Ul Hassan (University of Illinois Urbana-Champaign) <>

Mark Lemay (Boston University) <>

Nuraini Aguse (University of Illinois Urbana-Champaign) <>

Adam Bates (University of Illinois Urbana-Champaign) <>

Thomas Moyer (University of North Carolina at Charlotte) <>

  • Security and privacy for distributed systems, e.g., cryptocurrencies
  • Security for cloud computing
✓ Student paper

To edit this submission, sign in using your email and password.
Review #141A2233
Review #141B3314
Review #141C3334
Review #141D3323