Advertisement

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

  • Theocharis Tsigkritis
  • George Spanoudakis
  • Christos Kloukinas
  • Davide Lorenzoli
Chapter
Part of the Advances in Information Security book series (ADIS, volume 45)

Abstract

The SERENITY monitoring framework offers mechanisms for diagnosing the causes of violations of security and dependability (S&D) properties and detecting potential violations of such properties, called ȁCthreats”. Diagnostic information and threat detection are often necessary for deciding what an appropriate reaction to a violation is and taking pre-emptive actions against predicted violations, respectively. In this chapter, we describe the mechanisms of the SERENITY monitoring framework which generate diagnostic information for violations of S&D properties and detecting threats.

Keywords

Intrusion Detection Basic Probability Basic Probability Assignment Abductive Reasoning Diagnosis Process 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Chari SN and Cheng PC (2003) Bluebox: a policy-driven, host-based intrusion detection system. ACM Trans. Inf. Syst. Security 6(2): 173–200CrossRefGoogle Scholar
  2. 2.
    Console L, Terenziani P, Dupré DT (2002) Local Reasoning and Knowledge Compilation for Efficient Temporal Abduction. IEEE Transactions on Knowledge and Data Engineering, doi:10.1109/TKDE.2002.1047764Google Scholar
  3. 3.
    De Kleer J, Williams BC (1987) Diagnosing Multiple Faults. Artificial Intelligence 32(1), 97–130MATHCrossRefGoogle Scholar
  4. 4.
    Denecker M, De Schreye, D (1992) Temporal Reasoning with Abductive Event Calculus. In: Neumann B (ed) Proc. of the 10th European Conference on Artificial Intelligence, 384–388Google Scholar
  5. 5.
    Denning D (1987) An Intrusion Detection Model. IEEE Transactions on Software Engineering, 13(2): 222–232.CrossRefGoogle Scholar
  6. 6.
    Grastien A, Cordier M, Largouët C (2005) Incremental Diagnosis of Discrete-Event Systems. In Proc. of 15th Int. Work. On Principles of Diagnosis (DX05)Google Scholar
  7. 7.
    Ilgun K, Kemmerer RA, and Porras PA, (1995) State Transition Analysis: A Rule-based Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3): 191–199.CrossRefGoogle Scholar
  8. 8.
    Kloukinas C, Ballas C, Presenza D, Spanoudakis G (2006) Basic set of Information Collection Mechanisms for Run-Time S&D Monitoring. Deliverable A4.D2.2, SERENITY Project, http://www.serenity-forum.org/IMG/pdf/A4.D2.2_informationCollectionMechanism_v0.15_final_e.pdf Accessed 29 November 2008
  9. 9.
    Knight K (1989) Unification: a multidisciplinary survey ACM Computing Surveys, 21(1):93–124 http://www.isi.edu/natural-language/people/unification-knight.pdf Accessed 29 November 2008MATHMathSciNetGoogle Scholar
  10. 10.
    Ko C, Ruschitzka M, and Levitt K (1997) Execution monitoring of security-critical programs in distributed systems: a Specification-based approach. In IEEE Symposium on Security and Privacy (SP ’97), 175–187.Google Scholar
  11. 11.
    Kumar S and Spafford EH (1994) A Pattern Matching Model for Misuse Intrusion Detection. In Proc. of 17th National Computer Security Conference. 11–21.Google Scholar
  12. 12.
    Lazarevic A, Kumar V, Srivastava J (2005) Intrusion detection: a survey In: Managing cyber-threats: issues approaches & challenges, Available from SpringerGoogle Scholar
  13. 13.
    Mahbub K, Spanoudakis G, Kloukinas C (2007) V2 of dynamic validation prototype. Deliverable A4.D3.3, SERENITY Project. Available from: http://www.serenity forum.org/IMG/pdf/A4.D3.3_-_V2_of_Dynamic_validation_Prototype.pdf Accessed 29 November 2008
  14. 14.
    Pencolé Y, Cordier M (2005) A formal framework for the decentralised diagnosis of large scale discrete event systems & its application to telecommunication networks, Artificial Intelligence 164: 121–180MATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Poole D (1989) Explanation and prediction: an architecture for default and abductive reasoning, Computational Intelligence 5(2): 97–110CrossRefGoogle Scholar
  16. 16.
    Ray O, Kakas A (2006) ProLogICA: A Practical System for Abductive Logic Programming.11th Int. Workshop on Non-monotonic Reasoning, 304–312Google Scholar
  17. 17.
    Reiter R (1987) A theory of diagnosis from first principles, Artificial Intelligence, 32(1): 57–96MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Sampath M, Sengupta R, Lafortune S, Sinnamohideen K, Teneketzis DC (1996) Failure diagnosis using discrete-event models. IEEE Transactions on Control Systems Technology, 4(2):105–124CrossRefGoogle Scholar
  19. 19.
    Shafer G (1975) A Mathematical Theory of Evidence. Princeton University PressGoogle Scholar
  20. 20.
    Shanahan M (1999) The Event Calculus Explained. In Artificial Intelligence Today, LNAI 1600:409–430Google Scholar
  21. 21.
    Shanahan M (2000) Abductive Event Calculus Planner, Journal of Logic Programming 44: 207–239MATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Spanoudakis G, Mahbub K (2006) Non intrusive monitoring of service based systems. Int. J. of Cooperative Information Systems, 15(3):325–358CrossRefGoogle Scholar
  23. 23.
    Spanoudakis G, Tsigkritis T (2008) 1st Version of Diagnosis Prototype. Deliverable A4.D5.1, SERENITY Project, Available from: http://www.serenity-forum.org/IMG/pdf/A4.D5.1_first_version_of_diagnosis_prototype_v1.1_final.pdf Accessed 29 November 2008
  24. 24.
    Spanoudakis G, Tsigkritis T (2008) 2nd Version of Diagnosis Prototype. Deliverable A4.D5.2, SERENITY Project, Available from: http://www.serenity-forum.org/IMG/pdf/A4.D5.2_first_version_of_diagnosis_prototype_v1.1_final.pdf Accessed 29 November 2008
  25. 25.
    Tsigkritis T, Spanoudakis G (2008) Diagnosing Runtime Violations of Security and Dependability Properties. In Proc. of 20th Int. Conference in Software Engineering and Knowledge Engineering, 661–666Google Scholar
  26. 26.
    Tsigkritis T, Spanoudakis G (2008) A temporal abductive diagnosis process for runtime properties violations, ECAI 2008 Workshop on Explanation Aware ComputingGoogle Scholar
  27. 27.
    Valdes A and Skinner K (2000) Adaptive, Model-based Monitoring for Cyber Attack Detection. In Recent Advances in Intrusion Detection (RAID 2000), LNCS 80–92. Springer.Google Scholar

Copyright information

© Springer-Verlag US 2009

Authors and Affiliations

  • Theocharis Tsigkritis
    • 1
  • George Spanoudakis
    • 2
  • Christos Kloukinas
    • 3
  • Davide Lorenzoli
    • 4
  1. 1.Dept. of ComputingCity UniversityLondon
  2. 2.Dept. of ComputingCity UniversityLondon
  3. 3.Dept. of ComputingCity UniversityLondon
  4. 4.Dept. of ComputingCity UniversityLondon

Personalised recommendations