A Framework for Intrusion Detection Based on Workflow Mining

摘要

Information systems handle large amount of data within enterprises by offering the possibility to collect, treat, keep and make information available. To achieve this, it is crucial to secure data from intrusion that disturb confidentiality, availability, and integrity of data. This integrity must follow the strategic alignment of the considered enterprise. Unfortunately, the goal of attackers is to affect the resources present in the system. Research in intrusion detection field is still in search of proposals to relevant problems. Many solutions exist supporting machine learning and datamining models. Nevertheless, these solutions based on signature and behavior approaches of intrusion detection, are more interested in data and have not a global view of processes. The aim of this paper is to use workflow mining for a Host-based intrusion detection by monitoring workflow event logs related to resources. With workflow mining, process execution are stored in event logs and the detection of intrusion can be realized by their analysis on the basis of a well-defined security policy. To achieve our goal, step by step, we start by the specification of different concepts manipulated. Afterwards, we provide a model of security policy and a model of intrusion detection that enables us to have a low rate of false alerts. Finally, we implement the solution via a prototype to observe how it can work.