Information Technology Reference
In-Depth Information
Distributed Finite-State Runtime Monitoring
with Aggregated Events
Kevin Falzon
1
, Eric Bodden
1
, and Rahul Purandare
2
1
European Center for Security and Privacy by Design (EC-SPRIDE)
{
kevin.falzon,eric.bodden
}
@ec-spride.de
2
Department of Computer Science and Engineering
University of Nebraska-Lincoln
rpuranda@cse.unl.edu
Abstract.
Security information and event management (SIEM) systems usually
consist of a centralized monitoring server that processes events sent from a large
number of hosts through a potentially slow network. In this work, we discuss how
monitoring eciency can be increased by switching to a model of
aggregated
traces
, where monitored hosts bu
ff
er events into lossy but compact batches. In
our trace model, such batches retain the number and types of events processed,
but not their order.
We present an algorithm for automatically constructing, out of a regular finite-
state property definition, a monitor that can process such aggregated traces. We
discuss the resultant monitor's complexity and prove that it determines the set of
possible next states without producing false negatives and with a precision that is
optimal given the reduced information the trace carries.
1
Introduction
In this work, we consider a common scenario to which runtime monitoring is nowa-
days often applied, namely that of security information and event management (SIEM)
systems [9]. Such systems, mainly designed for intrusion detection or the discovery of
insider attacks, usually comprise a centralized monitoring server that processes events
sent from a large number of hosts within a local company network. At peak times, these
hosts might be slowed down significantly, as they block while trying to synchronously
send o
ff
event information to an overloaded monitoring server [11].
We address this problem by proposing a trace model in which the monitored hosts
can aggregate parts of the event stream, retaining the number and types of events pro-
cessed, but not their order. Discarding ordering information allows event streams to be
compressed e
ectively, whilst retaining event frequencies and types maintains a certain
level of precision. In comparison to related work [5, 12], this trace model is not prob-
abilistic and does not allow for “gaps” in the event stream—every occurring event is
indeed accounted for. The aggregated trace rather provides an
over
-approximation that
implicitly includes all permutations of the original trace it represents.
ff
This work was supported by the German Federal Ministry of Education and Research (BMBF)
within EC SPRIDE. (
www.ec-spride.de)
.
