Distributed Finite-State Runtime Monitoring with Aggregated Events

  • Kevin Falzon
  • Eric Bodden
  • Rahul Purandare
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8174)

Abstract

Security information and event management (SIEM) systems usually consist of a centralized monitoring server that processes events sent from a large number of hosts through a potentially slow network. In this work, we discuss how monitoring efficiency can be increased by switching to a model of aggregated traces, where monitored hosts buffer events into lossy but compact batches. In our trace model, such batches retain the number and types of events processed, but not their order. We present an algorithm for automatically constructing, out of a regular finitestate property definition, a monitor that can process such aggregated traces.

We discuss the resultant monitor’s complexity and prove that it determines the set of possible next states without producing false negatives and with a precision that is optimal given the reduced information the trace carries.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Barrett, C., Stump, A., Tinelli, C.: The satisfiability modulo theories library (smt-lib) (April 2013), http://smtlib.org/
  2. 2.
    Bartocci, E., Grosu, R., Karmarkar, A., Smolka, S., Stoller, S., Zadok, E., Seyster, J.: Adaptive runtime verification. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 168–182. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-35632-2_18 CrossRefGoogle Scholar
  3. 3.
    Basin, D., Klaedtke, F., Marinovic, S., Zălinescu, E.: Monitoring compliance policies over incomplete and disagreeing logs. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 151–167. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-35632-2_17 CrossRefGoogle Scholar
  4. 4.
    Bauer, A., Leucker, M., Schallhart, C.: The good, the bad, and the ugly, but how ugly is ugly? In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 126–138. Springer, Heidelberg (2007), http://dx.doi.org/10.1007/978-3-540-77395-5_11 CrossRefGoogle Scholar
  5. 5.
    Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 22–37. Springer, Heidelberg (2007), http://www.bodden.de/pubs/bhl+07collaborative.pdf CrossRefGoogle Scholar
  6. 6.
    Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. Oxford Journal of Logics and Computation (November 2008), http://www.bodden.de/pubs/bhl+08collaborative.pdf
  7. 7.
    Brzozowski, J.A.: Derivatives of regular expressions, vol. 11, pp. 481–494. ACM, New York (1964), http://doi.acm.org/10.1145/321239.321249 Google Scholar
  8. 8.
    Chen, F., Roşu, G.: Mop: An efficient and generic runtime verification framework. In: Proceedings of the 22nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications, OOPSLA 2007, pp. 569–588. ACM, New York (2007), http://doi.acm.org/10.1145/1297027.1297069
  9. 9.
    Miller, D., Pearson, B.: Security information and event management (SIEM) implementation. McGraw-Hill (2011)Google Scholar
  10. 10.
    Neumann, C.: Converting deterministic finite automata to regular expressions (March 2005), http://neumannhaus.com/christoph/papers/2005-03-16.DFA_to_RegEx.pdf
  11. 11.
    Steffens, S.: P3 consulting, personal communication, http://www.p3-consulting.de/
  12. 12.
    Stoller, S.D., Bartocci, E., Seyster, J., Grosu, R., Havelund, K., Smolka, S.A., Zadok, E.: Runtime verification with state estimation. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 193–207. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-29860-8_15 CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Kevin Falzon
    • 1
  • Eric Bodden
    • 1
  • Rahul Purandare
    • 2
  1. 1.European Center for Security and Privacy by Design (EC-SPRIDE)Germany
  2. 2.Department of Computer Science and EngineeringUniversity of Nebraska-LincolnUSA

Personalised recommendations