Distributed Finite-State Runtime Monitoring with Aggregated Events

Falzon, Kevin; Bodden, Eric; Purandare, Rahul

doi:10.1007/978-3-642-40787-1_6

Kevin Falzon¹⁸,
Eric Bodden¹⁸ &
Rahul Purandare¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8174))

Included in the following conference series:

International Conference on Runtime Verification

1511 Accesses
1 Citations

Abstract

Security information and event management (SIEM) systems usually consist of a centralized monitoring server that processes events sent from a large number of hosts through a potentially slow network. In this work, we discuss how monitoring efficiency can be increased by switching to a model of aggregated traces, where monitored hosts buffer events into lossy but compact batches. In our trace model, such batches retain the number and types of events processed, but not their order. We present an algorithm for automatically constructing, out of a regular finitestate property definition, a monitor that can process such aggregated traces.

We discuss the resultant monitor’s complexity and prove that it determines the set of possible next states without producing false negatives and with a precision that is optimal given the reduced information the trace carries.

This work was supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE. ( www.ec-spride.de ).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Barrett, C., Stump, A., Tinelli, C.: The satisfiability modulo theories library (smt-lib) (April 2013), http://smtlib.org/
Bartocci, E., Grosu, R., Karmarkar, A., Smolka, S., Stoller, S., Zadok, E., Seyster, J.: Adaptive runtime verification. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 168–182. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-35632-2_18
Chapter Google Scholar
Basin, D., Klaedtke, F., Marinovic, S., Zălinescu, E.: Monitoring compliance policies over incomplete and disagreeing logs. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 151–167. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-35632-2_17
Chapter Google Scholar
Bauer, A., Leucker, M., Schallhart, C.: The good, the bad, and the ugly, but how ugly is ugly? In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 126–138. Springer, Heidelberg (2007), http://dx.doi.org/10.1007/978-3-540-77395-5_11
Chapter Google Scholar
Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 22–37. Springer, Heidelberg (2007), http://www.bodden.de/pubs/bhl+07collaborative.pdf
Chapter Google Scholar
Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. Oxford Journal of Logics and Computation (November 2008), http://www.bodden.de/pubs/bhl+08collaborative.pdf
Brzozowski, J.A.: Derivatives of regular expressions, vol. 11, pp. 481–494. ACM, New York (1964), http://doi.acm.org/10.1145/321239.321249
Google Scholar
Chen, F., Roşu, G.: Mop: An efficient and generic runtime verification framework. In: Proceedings of the 22nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications, OOPSLA 2007, pp. 569–588. ACM, New York (2007), http://doi.acm.org/10.1145/1297027.1297069
Miller, D., Pearson, B.: Security information and event management (SIEM) implementation. McGraw-Hill (2011)
Google Scholar
Neumann, C.: Converting deterministic finite automata to regular expressions (March 2005), http://neumannhaus.com/christoph/papers/2005-03-16.DFA_to_RegEx.pdf
Steffens, S.: P3 consulting, personal communication, http://www.p3-consulting.de/
Stoller, S.D., Bartocci, E., Seyster, J., Grosu, R., Havelund, K., Smolka, S.A., Zadok, E.: Runtime verification with state estimation. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 193–207. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-29860-8_15
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

European Center for Security and Privacy by Design (EC-SPRIDE), Germany
Kevin Falzon & Eric Bodden
Department of Computer Science and Engineering, University of Nebraska-Lincoln, USA
Rahul Purandare

Authors

Kevin Falzon
View author publications
You can also search for this author in PubMed Google Scholar
Eric Bodden
View author publications
You can also search for this author in PubMed Google Scholar
Rahul Purandare
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Inria Rennes, Campus de Beaulieu, 263 Avenue Général Leclerc, 35042, Rennes, France
Axel Legay
VERIMAG Centre Équation, Université Joseph Fourier, Avenue de Vignate 2, 38618, Gières, France
Saddek Bensalem

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Falzon, K., Bodden, E., Purandare, R. (2013). Distributed Finite-State Runtime Monitoring with Aggregated Events. In: Legay, A., Bensalem, S. (eds) Runtime Verification. RV 2013. Lecture Notes in Computer Science, vol 8174. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40787-1_6

Download citation

DOI: https://doi.org/10.1007/978-3-642-40787-1_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40786-4
Online ISBN: 978-3-642-40787-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics