Competitive Advantages:
Runtime detection of insider attack, Performs application level statistical analysis, Determines memory access patterns.
A runtime attack can be detected on a big data system while processes are executed on various nodes. A behavior profile can be maintained for tasks or processes running on different nodes. The existence of a call variance in one of the traces for one of the behavior profiles can be determined. A memory variance can also be detected in one of the behavior profiles. A runtime attack has occurred when both the memory variance and the call variance are determined to exist.Our inventors have designed a novel method for detecting insider attacks in big data platforms during runtime. This method analyzes multiple features of memory access of a process, packages it as a process behavior profile, and shares that profile with other replica data-nodes in the system for verification. The replica data-nodes then verify the memory access of local processes using the received profiles. This approach will detect in real-time an insider attack that cannot be detected with the traditional analysis metrics.
