Abstract
Security information and event management (SIEM) systems usually consist of a centralized monitoring server that processes events sent from a large number of hosts through a potentially slow network. In this work, we discuss how monitoring efficiency can be increased by switching to a model of aggregated traces, where monitored hosts buffer events into lossy but compact batches. In our trace model, such batches retain the number and types of events processed, but not their order. We present an algorithm for automatically constructing, out of a regular finitestate property definition, a monitor that can process such aggregated traces.
We discuss the resultant monitor’s complexity and prove that it determines the set of possible next states without producing false negatives and with a precision that is optimal given the reduced information the trace carries.
This work was supported by the German Federal Ministry of Education and Research (BMBF) within EC SPRIDE. ( www.ec-spride.de ).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Barrett, C., Stump, A., Tinelli, C.: The satisfiability modulo theories library (smt-lib) (April 2013), http://smtlib.org/
Bartocci, E., Grosu, R., Karmarkar, A., Smolka, S., Stoller, S., Zadok, E., Seyster, J.: Adaptive runtime verification. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 168–182. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-35632-2_18
Basin, D., Klaedtke, F., Marinovic, S., Zălinescu, E.: Monitoring compliance policies over incomplete and disagreeing logs. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 151–167. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-35632-2_17
Bauer, A., Leucker, M., Schallhart, C.: The good, the bad, and the ugly, but how ugly is ugly? In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 126–138. Springer, Heidelberg (2007), http://dx.doi.org/10.1007/978-3-540-77395-5_11
Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. In: Sokolsky, O., Taşıran, S. (eds.) RV 2007. LNCS, vol. 4839, pp. 22–37. Springer, Heidelberg (2007), http://www.bodden.de/pubs/bhl+07collaborative.pdf
Bodden, E., Hendren, L., Lam, P., Lhoták, O., Naeem, N.A.: Collaborative runtime verification with tracematches. Oxford Journal of Logics and Computation (November 2008), http://www.bodden.de/pubs/bhl+08collaborative.pdf
Brzozowski, J.A.: Derivatives of regular expressions, vol. 11, pp. 481–494. ACM, New York (1964), http://doi.acm.org/10.1145/321239.321249
Chen, F., Roşu, G.: Mop: An efficient and generic runtime verification framework. In: Proceedings of the 22nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications, OOPSLA 2007, pp. 569–588. ACM, New York (2007), http://doi.acm.org/10.1145/1297027.1297069
Miller, D., Pearson, B.: Security information and event management (SIEM) implementation. McGraw-Hill (2011)
Neumann, C.: Converting deterministic finite automata to regular expressions (March 2005), http://neumannhaus.com/christoph/papers/2005-03-16.DFA_to_RegEx.pdf
Steffens, S.: P3 consulting, personal communication, http://www.p3-consulting.de/
Stoller, S.D., Bartocci, E., Seyster, J., Grosu, R., Havelund, K., Smolka, S.A., Zadok, E.: Runtime verification with state estimation. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 193–207. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-29860-8_15
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Falzon, K., Bodden, E., Purandare, R. (2013). Distributed Finite-State Runtime Monitoring with Aggregated Events. In: Legay, A., Bensalem, S. (eds) Runtime Verification. RV 2013. Lecture Notes in Computer Science, vol 8174. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40787-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-40787-1_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40786-4
Online ISBN: 978-3-642-40787-1
eBook Packages: Computer ScienceComputer Science (R0)