Research Article
SeEagle: Semantic-Enhanced Anomaly Detection for Securing Eagle
@INPROCEEDINGS{10.1007/978-3-319-73697-6_17, author={Wu Xin and Qingni Shen and Yahui Yang and Zhonghai Wu}, title={SeEagle: Semantic-Enhanced Anomaly Detection for Securing Eagle}, proceedings={Digital Forensics and Cyber Crime. 9th International Conference, ICDF2C 2017, Prague, Czech Republic, October 9-11, 2017, Proceedings}, proceedings_a={ICDF2C}, year={2018}, month={1}, keywords={Semantic-enhanced User authentication Tagging APT User profile Eagle Anomaly detection User activity monitoring Machine learning}, doi={10.1007/978-3-319-73697-6_17} }- Wu Xin
Qingni Shen
Yahui Yang
Zhonghai Wu
Year: 2018
SeEagle: Semantic-Enhanced Anomaly Detection for Securing Eagle
ICDF2C
Springer
DOI: 10.1007/978-3-319-73697-6_17
Abstract
In order to ensure data security and monitor data behavior, eBay has developed Eagle, which can detect anomalous user behavior based on user profiles and can intelligently protect data security of Hadoop ecosystem in real-time. By analyzing the kernel density estimation (KDE) algorithm and source code implemented in Eagle, we recognize that there are two security risks: One is that user profiles are models of operations, but the objects of operations are not analyzed; The other is that the owner of HDFS audit log files is not authenticated. Consequently, the attacker can bypass Eagle and form attack of APT combined with default permissions of Hadoop. In this paper, we analyze the two risks of Eagle, propose two kinds of attack methods that can bypass anomaly detection of Eagle: co-frequency operation attack and log injection attack, and establish threat model of which feasibility is verified experimentally. Finally, we present SeEagle, a semantic-enhanced anomaly detection for securing Eagle, including user authentication and file tagging modules. Our preliminary experimental evaluation shows that SeEagle works well and extra overhead is acceptable.
