Security Investigate

Identifying the Provenance of Correlated Anomalies

Download now Free registration required

Executive Summary

Identifying when anomalous activity is correlated in a distributed system is useful for a range of applications from intrusion detection to tracking quality of service. The more specific the logs, the more precise the analysis they allow. However, collecting detailed logs from across a distributed system can deluge the network fabric. The authors present an architecture that allows fine-grained auditing on individual hosts, space-efficient representation of anomalous activity that can be centrally correlated, and tracing anomalies back to individual les and processes in the system.

  • Format: PDF
  • Size: 292.1 KB