Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings

Research Article

SeEagle: Semantic-Enhanced Anomaly Detection for Securing Eagle

  • @INPROCEEDINGS{10.1007/978-3-319-73697-6_17,
        author={Wu Xin and Qingni Shen and Yahui Yang and Zhonghai Wu},
        title={SeEagle: Semantic-Enhanced Anomaly Detection for Securing Eagle},
        proceedings={Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings},
        proceedings_a={ICDF2C},
        year={2018},
        month={1},
        keywords={Semantic-enhanced User authentication Tagging APT User profile Eagle Anomaly detection User activity monitoring Machine learning},
        doi={10.1007/978-3-319-73697-6_17}
    }
    
  • Wu Xin
    Qingni Shen
    Yahui Yang
    Zhonghai Wu
    Year: 2018
    SeEagle: Semantic-Enhanced Anomaly Detection for Securing Eagle
    ICDF2C
    Springer
    DOI: 10.1007/978-3-319-73697-6_17
Wu Xin,*, Qingni Shen,*, Yahui Yang,*, Zhonghai Wu,*
    *Contact email: xinwu@pku.edu.cn, qingnishen@ss.pku.edu.cn, yhyang@ss.pku.edu.cn, wuzh@ss.pku.edu.cn

    Abstract

    In order to ensure data security and monitor data behavior, eBay has developed Eagle, which can detect anomalous user behavior based on user profiles and can intelligently protect data security of Hadoop ecosystem in real-time. By analyzing the kernel density estimation (KDE) algorithm and source code implemented in Eagle, we recognize that there are two security risks: One is that user profiles are models of operations, but the objects of operations are not analyzed; The other is that the owner of HDFS audit log files is not authenticated. Consequently, the attacker can bypass Eagle and form attack of APT combined with default permissions of Hadoop. In this paper, we analyze the two risks of Eagle, propose two kinds of attack methods that can bypass anomaly detection of Eagle: co-frequency operation attack and log injection attack, and establish threat model of which feasibility is verified experimentally. Finally, we present SeEagle, a semantic-enhanced anomaly detection for securing Eagle, including user authentication and file tagging modules. Our preliminary experimental evaluation shows that SeEagle works well and extra overhead is acceptable.