Diagnosis from scenarios

Diagnosis of a system consists in providing explanations to a supervisor from a partial observation of the system and a model of possible executions. This paper proposes a partial order diagnosis algorithm that recovers sets of scenarios which correspond to a given observation. Systems are modeled using High-level Message Sequence Charts (HMSCs), and the diagnosis is given as a new HMSC, which behaviors are all explanations of the partial observation. The main difficulty is that some actions of the monitored system are unobservable but may still induce some causal ordering among observed events. We first give an offline centralized diagnosis algorithm, then we discuss a decentralized version of this algorithm. We then give an online diagnosis algorithm, and define syntactic criteria under which the memory used can be bounded. This allows us to give a complete diagnosis framework for infinite state systems, with a strong emphasis on concurrency and causal ordering in behaviors. The last contribution of the paper is an application of diagnosis techniques to a security problem called anomaly detection. Anomaly detection consists in comparing what occurs in the system with usual/expected behaviors, and raising an alarm when some unusual behavior (meaning a potential attack) occurs.

[1]  B. Rothschild,et al.  Asymptotic enumeration of partial orders on a finite set , 1975 .

[2]  Daniel Brand,et al.  On Communicating Finite-State Machines , 1983, JACM.

[3]  Jan A. Bergstra,et al.  Algebra of Communicating Processes with Abstraction , 1985, Theor. Comput. Sci..

[4]  Giorgio De Michelis,et al.  Concurrency versus interleaving: an instructuve example , 1987, Bull. EATCS.

[5]  Colin J. Fidge,et al.  Logical time in distributed computing systems , 1991, Computer.

[6]  Feng Lin,et al.  Diagnosability of discrete event systems and its applications , 1994, Discret. Event Dyn. Syst..

[7]  Stéphane Lafortune,et al.  Failure diagnosis using discrete event models , 1994, Proceedings of 1994 33rd IEEE Conference on Decision and Control.

[8]  Michel Raynal,et al.  On-The-Fly Analysis of Distributed Computations , 1995, Inf. Process. Lett..

[9]  Sjouke Mauw,et al.  Message Sequence Chart (MSC) , 1996 .

[10]  Sergio Yovine,et al.  Model Checking Timed Automata , 1996, European Educational Forum: School on Embedded Systems.

[11]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[12]  Anca Muscholl,et al.  Matching Specifications for Message Sequence Charts , 1999, FoSSaCS.

[13]  Rajeev Alur,et al.  Model Checking of Message Sequence Charts , 1999, CONCUR.

[14]  Gianfranco Lamperti,et al.  Diagnosis of Large Active Systems , 1999, Artif. Intell..

[15]  Anca Muscholl,et al.  Message Sequence Graphs and Decision Problems on Mazurkiewicz Traces , 1999, MFCS.

[16]  Anita K. Jones,et al.  Computer System Intrusion Detection: A Survey , 2000 .

[17]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[18]  W. M. Wonham,et al.  Distributed diagnosis for qualitative systems , 2002, Sixth International Workshop on Discrete Event Systems, 2002. Proceedings..

[19]  Marie-Odile Cordier,et al.  A Decentralized Model-Based Diagnostic Tool for Complex Systems , 2002, Int. J. Artif. Intell. Tools.

[20]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[21]  Albert Benveniste,et al.  Diagnosis of asynchronous discrete-event systems: a net unfolding approach , 2003, IEEE Trans. Autom. Control..

[22]  Stéphane Lafortune,et al.  Distributed Diagnosis of Discrete-Event Systems Using Petri Nets , 2003, ICATPN.

[23]  Anca Muscholl,et al.  Deciding Properties of Message Sequence Charts , 2003, Scenarios: Models, Transformations and Tools.

[24]  Loïc Hélouët,et al.  High-Level Message Sequence Charts and Projections , 2003, CONCUR.

[25]  Maria Letizia Corradini,et al.  IEEE Transactions on Control Systems Technology , 2004 .

[26]  Thomas Chatain,et al.  Symbolic Diagnosis of Partially Observable Concurrent Systems , 2004, FORTE.

[27]  Ali A. Ghorbani,et al.  Research on Intrusion Detection and Response: A Survey , 2005, Int. J. Netw. Secur..

[28]  Thomas Chatain,et al.  Time Supervision of Concurrent Systems Using Symbolic Unfoldings of Time Petri Nets , 2005, FORMATS.

[29]  L. Helouet,et al.  Diagnosis from scenarios [system diagnosis] , 2006, 2006 8th International Workshop on Discrete Event Systems.

[30]  Anca Muscholl,et al.  A Kleene theorem and model checking algorithms for existentially bounded communicating automata , 2006, Inf. Comput..

[31]  Stéphane Lafortune,et al.  Diagnosability of Discrete Event Systems with Modular Structure , 2006, Discret. Event Dyn. Syst..

[32]  Osman Salem,et al.  An efficient online anomalies detection mechanism for high-speed networks , 2007 .

[33]  Loïc Hélouët,et al.  Causal Message Sequence Charts , 2007, Theor. Comput. Sci..

[34]  F. Mattern On the Relativistic Structure of Logical Time in Distributed Systems , 2009 .