Abstract
In this paper, we present a research work on a novel methodology of identifying abnormal behaviors at the underlying network monitor layer during runtime based on the execution patterns of Web of Things (WoT) applications. An execution pattern of a WoT application is a sequence of profiled time delays between the invocations of involved Web services, and it can be obtained from WoT platforms. We convert the execution pattern to a time sequence of network flows that are generated when the WoT applications are executed. We consider such time sequences as a whitelist. This whitelist reflects the valid application execution patterns. At the network monitor layer, our applied RETE algorithm examines whether any given runtime sequence of network flow instances does not conform to the whitelist. Through this approach, it is possible to interpret a sequence of network flows with regard to application logic. Given such contextual information, we believe that the administrators can detect and reason about any abnormal behaviors more effectively. Our empirical evaluation shows that our RETE-based algorithm outperforms the baseline algorithm in terms of memory usage.