On the Complexity of Monitoring Orchids Signatures

  • Jean Goubault-LarrecqEmail author
  • Jean-Philippe Lachance
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10012)


Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let f(n) be the maximum number of monitor instances that can be fired on a sequence of n events: we design an algorithm that decides whether f(n) is asymptotically exponential or polynomial, and in the latter case returns an exponent d such that \(f(n) = \varTheta (n^d)\). Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators \(+\) and \(\max \), and defining integer sequences \(u_n\), what is the asymptotic behavior of \(u_n\) as n tends to infinity? We show that, under simple assumptions, \(u_n\) is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjan’s strongly connected components algorithm, in linear time.


Recurrence Equation Intrusion Detection System Outgoing Edge State Wait Runtime Verification 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This research was partially funded by INRIA-DGA grant 12 81 0312 (2013–2016). This, in particular, funded the second author’s internship at LSV, ENS Cachan, in the spring of 2013, who implemented two prototypes for a precursor of the algorithm described here. The second author also thanks Hydro-Québec and Les Offices jeunesse internationaux du Québec (LOJIQ) for their financial support.

The first author would like to thank Mounir Assaf for drawing his attention to analytic combinatorics, and the anonymous referees for their suggestions.


  1. [Ass15]
    Assaf, M.: From qualitative to quantitative program analysis: permissive enforcement of secure information flow. PhD thesis, Université Rennes I (2015)Google Scholar
  2. [BKMZ15]
    Basin, D., Klaedtke, F., Müller, S., Zălinescu, E.: Monitoring metric first-order temporal properties. J. ACM 62(2), 15:1–15:45 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  3. [FS09]
    Flajolet, P., Sedgwick, R.: Analytic Combinatorics. Cambridge University Press, New York (2009)CrossRefGoogle Scholar
  4. [GO08]
    Goubault-Larrecq, J., Olivain, J.: A smell of Orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89247-2_1 CrossRefGoogle Scholar
  5. [GO13]
    Goubault-Larrecq, J., Olivain, J.: On the efficiency of mathematics in intrusion detection: the NetEntropy case. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS -2013. LNCS, vol. 8352, pp. 3–16. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-05302-8_1 CrossRefGoogle Scholar
  6. [HR15]
    Havelund, K., Reger, G.: Specification of parametric monitors - quantified event automata versus rule systems. In: Drechsler, R., Kuhne, U. (eds.) Formal Modeling and Verification of Cyber-Physical Systems, pp. 151–189. Springer, Wiesbaden (2015)CrossRefGoogle Scholar
  7. [LZL+14]
    Luo, Q., Zhang, Y., Lee, C., Jin, D., Meredith, P.O.N., Şerbănuţă, T.F., Roşu, G.: RV-Monitor: efficient parametric runtime verification with simultaneous properties. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 285–300. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11164-3_24 Google Scholar
  8. [OG05]
    Olivain, J., Goubault-Larrecq, J.: The Orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005). doi: 10.1007/11513988_28 CrossRefGoogle Scholar
  9. [Pur03]
    Purczyński, W.: Linux kernel privileged process hijacking vulnerability. BugTraq Id 7112, March 2003.
  10. [RG01]
    Roger, M., Goubault-Larrecq, J.: Log auditing through model checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW 2001), Cape Breton, pp. 220–236. IEEE Computer Society Press, June 2001Google Scholar
  11. [RGL99]
    Roger, M., Goubault-Larrecq, J.: Procédé et dispositif de résolution de modèles, utilisation pour la détection des attaques contre les systèmes informatiques. Dépôt français du 13, correspondant Dyade, demandeurs: 1. INRIA 2. Bull S.A. Numéro de publication: 2 798 490. Numéro d’enregistrement national: 99 11716. Classification: G 06 F 19/00. Date de mise à la disposition du public de la demande: 16 mars 2001, bulletin 01/11, 1999, September 1999Google Scholar
  12. [Tar72]
    Tarjan, R.E.: Depth-first search and linear graph algorithms. SIAM J. Comput. 1(2), 146–160 (1972)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Jean Goubault-Larrecq
    • 1
    Email author
  • Jean-Philippe Lachance
    • 1
    • 2
  1. 1.LSV, ENS Cachan, CNRS, Université Paris-SaclayCachanFrance
  2. 2.Coveo Solutions, Inc.Québec CityCanada

Personalised recommendations