Assessing the genuineness of events in runtime monitoring of cyber systems

Monitoring security properties of cyber systems at runtime is necessary if the preservation of such properties cannot be guaranteed by formal analysis of their specification. It is also necessary if the runtime interactions between their components that are distributed over different types of local and wide area networks cannot be fully analyzed before putting the systems in operation. The effectiveness of runtime monitoring depends on the trustworthiness of the runtime system events, which are analyzed by the monitor. In this paper, we describe an approach for assessing the trustworthiness of such events. Our approach is based on the generation of possible explanations of runtime events based on a diagnostic model of the system under surveillance using abductive reasoning, and the confirmation of the validity of such explanations and the runtime events using belief based reasoning. The assessment process that we have developed based on this approach has been implemented as part of the EVEREST runtime monitoring framework and has been evaluated in a series of simulations that are discussed in the paper.

[1]  Jianying Zhou,et al.  Applying intrusion detection systems to wireless sensor networks , 2006, CCNC 2006. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006..

[2]  George Spanoudakis,et al.  A Temporal Abductive Diagnostic Process for Runtime Properties Violations , 2008, ExaCt.

[3]  Hussein Zedan,et al.  Analysis and Run-Time Verification of Dynamic Security Policies , 2005, DAMAS.

[4]  Sushil Jajodia,et al.  Data warehousing and data mining techniques for intrusion detection systems , 2006, Distributed and Parallel Databases.

[5]  Jaideep Srivastava,et al.  Intrusion Detection: A Survey , 2005 .

[6]  Muzammil Khan,et al.  Vulnerabilities of UMTS Access Domain Security Architecture , 2008, 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing.

[7]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[8]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[9]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[10]  Kevin Knight,et al.  Unification: a multidisciplinary survey , 1989, CSUR.

[11]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[12]  Viktor Schuppan,et al.  JNuke: Efficient Dynamic Analysis for Java , 2004, CAV.

[13]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[14]  Evelina Lamma,et al.  Abduction with Hypotheses Confirmation , 2005, IJCAI.

[15]  A. N. Zincir-Heywood,et al.  Intrusion Detection Systems , 2008 .

[16]  Alban Grastien,et al.  Incremental Diagnosis of Discrete-Event Systems , 2005, IJCAI.

[17]  Gabriele Paul,et al.  Approaches to abductive reasoning: an overview , 1993, Artificial Intelligence Review.

[18]  Marie-Odile Cordier,et al.  A formal framework for the decentralised diagnosis of large scale discrete event systems and its application to telecommunication networks , 2005, Artif. Intell..

[19]  Mahesh Viswanathan,et al.  Java-MaC: A Run-Time Assurance Approach for Java Programs , 2004, Formal Methods Syst. Des..

[20]  Grigore Rosu,et al.  Towards Monitoring-Oriented Programming: A Paradigm Combining Specification and Implementation , 2003, RV@CAV.

[21]  Marek J. Sergot,et al.  A logic-based calculus of events , 1989, New Generation Computing.

[22]  Jeffrey M. Voas,et al.  BYOD: Security and Privacy Considerations , 2012, IT Professional.

[23]  Grigore Rosu,et al.  An overview of the MOP runtime verification framework , 2012, International Journal on Software Tools for Technology Transfer.

[24]  Eugene Santos,et al.  Unifying time and uncertainty for diagnosis , 1996, J. Exp. Theor. Artif. Intell..

[25]  K. Varahramyan,et al.  A Chipless RFID Sensor System for Cyber Centric Monitoring Applications , 2009, IEEE Transactions on Microwave Theory and Techniques.

[26]  David Heckerman,et al.  A Tutorial on Learning with Bayesian Networks , 1998, Learning in Graphical Models.

[27]  George Spanoudakis,et al.  Non-Intrusive Monitoring of Service-Based Systems , 2006, Int. J. Cooperative Inf. Syst..

[28]  Luciano Baresi,et al.  Towards Dynamic Monitoring of WS-BPEL Processes , 2005, ICSOC.

[29]  Mahesh Viswanathan,et al.  Runtime Assurance Based On Formal Specifications , 1999, PDPTA.

[30]  F. Ashcroft,et al.  VIII. References , 1955 .

[31]  George Spanoudakis,et al.  Diagnosing Runtime Violations of Security & Dependability Properties , 2010, SEKE.

[32]  A. Gelman Analysis of variance: Why it is more important than ever? , 2005, math/0504499.

[33]  Koushik Sen,et al.  Rule-Based Runtime Verification , 2004, VMCAI.

[34]  Howard Barringer,et al.  Rule Systems for Run-time Monitoring: from Eagle to RuleR , 2010, J. Log. Comput..

[35]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[36]  Mark Brörkens,et al.  JASSDA TRACE ASSERTIONS ∗ Runtime Checking the Dynamic of Java Programs , 2002 .

[37]  Marcelo d'Amorim,et al.  Event-based runtime verification of java programs , 2005, ACM SIGSOFT Softw. Eng. Notes.

[38]  Koushik Sen,et al.  A Temporal Logic Based Framework for Intrusion Detection , 2004, FORTE.

[39]  Antonio Maña,et al.  Realising the Potential of Serenity in Emerging AmI Ecosystems: Implications and Challenges , 2009, Security and Dependability for Ambient Intelligence.

[40]  Doron Drusinsky,et al.  The Temporal Rover and the ATG Rover , 2000, SPIN.

[41]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[42]  Anoop Singhal Intrusion Detection Systems , 2007 .

[43]  Daniele Theseider Dupré,et al.  Local Reasoning and Knowledge Compilation for Efficient Temporal Abduction , 2002, IEEE Trans. Knowl. Data Eng..

[44]  Anoop Singhal Data Warehousing and Data Mining Techniques for Cyber Security , 2006, Advances in Information Security.

[45]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[46]  Grigore Rosu,et al.  An Overview of the Runtime Verification Tool Java PathExplorer , 2004, Formal Methods Syst. Des..

[47]  Patricia Bouyer,et al.  Fault Diagnosis Using Timed Automata , 2005, FoSSaCS.

[48]  Stavros Tripakis,et al.  Fault Diagnosis for Timed Automata , 2002, FTRTFT.

[49]  George Spanoudakis,et al.  The SERENITY Runtime Monitoring Framework , 2009, Security and Dependability for Ambient Intelligence.

[50]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[51]  송왕철,et al.  IDS(Intrusion Detection System) , 2000 .

[52]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.