Tariq, D., Baig, B., Gehani, A., Mahmood, S., Tahir, R., Aqil, A., & Zaffar, F. (2011, March). Identifying the provenance of correlated anomalies. In Proceedings of the 2011 ACM Symposium on Applied Computing (pp. 224-229).
Identifying when anomalous activity is correlated in a distributed system is useful for a range of applications from intrusion detection to tracking quality of service. The more specific the logs, the more precise the analysis they allow. However, collecting detailed logs from across a distributed system can deluge the network fabric. We present an architecture that allows fine-grained auditing on individual hosts, space-efficient representation of anomalous activity that can be centrally correlated, and tracing anomalies back to individual files and processes in the system. A key contribution is the design of an anomaly-provenance bridge that allows opaque digests of anomalies to be mapped back to their associated provenance.