Abstract
Modern monitoring tools such as our intrusion detection tool Orchids work by firing new monitor instances dynamically. Given an Orchids signature (a.k.a. a rule, a specification), what is the complexity of checking that specification, that signature? In other words, let f(n) be the maximum number of monitor instances that can be fired on a sequence of n events: we design an algorithm that decides whether f(n) is asymptotically exponential or polynomial, and in the latter case returns an exponent d such that \(f(n) = \varTheta (n^d)\). Ultimately, the problem reduces to the following mathematical question, which may have other uses in other domains: given a system of recurrence equations described using the operators \(+\) and \(\max \), and defining integer sequences \(u_n\), what is the asymptotic behavior of \(u_n\) as n tends to infinity? We show that, under simple assumptions, \(u_n\) is either exponential or polynomial, and that this can be decided, and the exponent computed, using a simple modification of Tarjan’s strongly connected components algorithm, in linear time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Historically, Orchids also evolved from previous attempts, starting from [RG01], which presents two approaches. The second approach was a forerunner of the 2008 approach [GO08], and corrected a few flaws from the first approach. That same first approach (not the second one) is covered by a patent [RGL99]. That patent does not cover Orchids. The main reason is that the main claims of that patent require a means of generating propositional Horn clauses from formulae in a temporal logic for each new event read. The Orchids algorithm is not based on any such mechanism.
- 2.
Variables are thread-local: if an Orchids thread modifies one of its variables, this does not affect any other thread.
References
Assaf, M.: From qualitative to quantitative program analysis: permissive enforcement of secure information flow. PhD thesis, Université Rennes I (2015)
Basin, D., Klaedtke, F., Müller, S., Zălinescu, E.: Monitoring metric first-order temporal properties. J. ACM 62(2), 15:1–15:45 (2015)
Flajolet, P., Sedgwick, R.: Analytic Combinatorics. Cambridge University Press, New York (2009)
Goubault-Larrecq, J., Olivain, J.: A smell of Orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89247-2_1
Goubault-Larrecq, J., Olivain, J.: On the efficiency of mathematics in intrusion detection: the NetEntropy case. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS -2013. LNCS, vol. 8352, pp. 3–16. Springer, Heidelberg (2014). doi:10.1007/978-3-319-05302-8_1
Havelund, K., Reger, G.: Specification of parametric monitors - quantified event automata versus rule systems. In: Drechsler, R., Kuhne, U. (eds.) Formal Modeling and Verification of Cyber-Physical Systems, pp. 151–189. Springer, Wiesbaden (2015)
Luo, Q., Zhang, Y., Lee, C., Jin, D., Meredith, P.O.N., Şerbănuţă, T.F., Roşu, G.: RV-Monitor: efficient parametric runtime verification with simultaneous properties. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 285–300. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11164-3_24
Olivain, J., Goubault-Larrecq, J.: The Orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005). doi:10.1007/11513988_28
Purczyński, W.: Linux kernel privileged process hijacking vulnerability. BugTraq Id 7112, March 2003. http://www.securityfocus.com/bid/7112
Roger, M., Goubault-Larrecq, J.: Log auditing through model checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW 2001), Cape Breton, pp. 220–236. IEEE Computer Society Press, June 2001
Roger, M., Goubault-Larrecq, J.: Procédé et dispositif de résolution de modèles, utilisation pour la détection des attaques contre les systèmes informatiques. Dépôt français du 13, correspondant Dyade, demandeurs: 1. INRIA 2. Bull S.A. Numéro de publication: 2 798 490. Numéro d’enregistrement national: 99 11716. Classification: G 06 F 19/00. Date de mise à la disposition du public de la demande: 16 mars 2001, bulletin 01/11, 1999, September 1999
Tarjan, R.E.: Depth-first search and linear graph algorithms. SIAM J. Comput. 1(2), 146–160 (1972)
Acknowledgement
This research was partially funded by INRIA-DGA grant 12 81 0312 (2013–2016). This, in particular, funded the second author’s internship at LSV, ENS Cachan, in the spring of 2013, who implemented two prototypes for a precursor of the algorithm described here. The second author also thanks Hydro-Québec and Les Offices jeunesse internationaux du Québec (LOJIQ) for their financial support.
The first author would like to thank Mounir Assaf for drawing his attention to analytic combinatorics, and the anonymous referees for their suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Goubault-Larrecq, J., Lachance, JP. (2016). On the Complexity of Monitoring Orchids Signatures. In: Falcone, Y., Sánchez, C. (eds) Runtime Verification. RV 2016. Lecture Notes in Computer Science(), vol 10012. Springer, Cham. https://doi.org/10.1007/978-3-319-46982-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-46982-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46981-2
Online ISBN: 978-3-319-46982-9
eBook Packages: Computer ScienceComputer Science (R0)