Distributed Finite-State Runtime Monitoring with Aggregated Events
Security information and event management (SIEM) systems usually consist of a centralized monitoring server that processes events sent from a large number of hosts through a potentially slow network. In this work, we discuss how monitoring efficiency can be increased by switching to a model of aggregated traces, where monitored hosts buffer events into lossy but compact batches. In our trace model, such batches retain the number and types of events processed, but not their order. We present an algorithm for automatically constructing, out of a regular finitestate property definition, a monitor that can process such aggregated traces.
We discuss the resultant monitor’s complexity and prove that it determines the set of possible next states without producing false negatives and with a precision that is optimal given the reduced information the trace carries.
KeywordsRegular Expression Aggregate Event Event Stream Trace Model Basic Constraint
Unable to display preview. Download preview PDF.
- 1.Barrett, C., Stump, A., Tinelli, C.: The satisfiability modulo theories library (smt-lib) (April 2013), http://smtlib.org/
- 6.Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. Oxford Journal of Logics and Computation (November 2008), http://www.bodden.de/pubs/bhl+08collaborative.pdf
- 8.Chen, F., Roşu, G.: Mop: An efficient and generic runtime verification framework. In: Proceedings of the 22nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications, OOPSLA 2007, pp. 569–588. ACM, New York (2007), http://doi.acm.org/10.1145/1297027.1297069
- 9.Miller, D., Pearson, B.: Security information and event management (SIEM) implementation. McGraw-Hill (2011)Google Scholar
- 10.Neumann, C.: Converting deterministic finite automata to regular expressions (March 2005), http://neumannhaus.com/christoph/papers/2005-03-16.DFA_to_RegEx.pdf
- 11.Steffens, S.: P3 consulting, personal communication, http://www.p3-consulting.de/
- 12.Stoller, S.D., Bartocci, E., Seyster, J., Grosu, R., Havelund, K., Smolka, S.A., Zadok, E.: Runtime verification with state estimation. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 193–207. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-29860-8_15 CrossRefGoogle Scholar