Anomaly Detection and Early Warning System

Competence CenterSecurity
Contact: Prof. Dr. Sahin Albayrak, Dr. Karsten Bsufka
Partner: Deutsche Telekom LaboratoriesDeutsches Forschungszentrum für Künstliche Intelligenz Ben-Gurion University of the Negev

 

ADEWaS is a project funded by Deutsche Telekom Laboratories for developing an early warning system, which detects and failures at their early stages for telecommunication services and infrastructures. Telecommunication services, applications and infrastructure elements create huge amounts of audit trails that, if properly analyzed, carry clues in the form of anomalies. Timely detection and analysis of these anomalies may result in beneficial early warning messages for detection of attacks, failures and misuse.

In this project, the DAI Laboratory realizes a multiagent system (MAS) used to detect anomalies and create warning at early stages.

The ADEWaS MAS has the following major tasks;

  1. Collect data from various sources, e.g. server log files, intrusion detection systems, and transaction system.
  2. Translate the various data formats used by data source into a common format.
  3. Provide a semantic description for the system, data and detection results.
  4. Supply data to anomaly detection approaches.
  5. Present detection results, generate warnings and realize alert and notification mechanisms.

The ADEWaS MAS is designed to work with a variety of anomaly detection approaches. The project partners Ben-Gurion University of the Negev and Deutsches Forschungszentrum für Künstliche Intelligenz implement those ap-proaches. The approaches range from unsupervised, statistical approaches to supervised, machine learning approaches.

The approach developed within ADEWaS project is comprised of different categories of agents. The Data Acquisition agents are distributed among the network, encapsulate data sources and provide the raw data to Data Processing agents. These agents fulfill different tasks such as the annotation of raw data, the conversion to a common format, but also provision and notification mechanisms for other ADEWaS components, such as the detection agents. These agents belong to the category Data Exploitation and provide detec-tion results that can be reviewed and verified with the help the user.