Auditing with incomplete logs

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

66 Downloads (Pure)


The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy enforcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users’ activities to prove conformity to policies and detect policy violations when a valid explanation of conformity does not exist. However, existing auditing solutions require that the information necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users’ activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in finding a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of conformity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated. Keywords: Abduction, Policy Compliance, Abductive Reasoning
Original languageEnglish
Title of host publicationProceedings of the 3rd Workshop on Hot Issues in Security Principles and Trust (2015, London, UK, April 18, 2015; affiliated with ETAPS 2015)
Publication statusPublished - 2015
Event3rd Workshop on Hot Issues in Security Principles and Trust (HotSpot 2015) - London, United Kingdom
Duration: 18 Apr 201518 Apr 2015
Conference number: 3


Workshop3rd Workshop on Hot Issues in Security Principles and Trust (HotSpot 2015)
Abbreviated titleHotSpot 2015
Country/TerritoryUnited Kingdom
OtherWorkshop held as a satellite event of the 18th European Joint Conferences on Theory and Practice of Software (ETAPS 2015)
Internet address


Dive into the research topics of 'Auditing with incomplete logs'. Together they form a unique fingerprint.

Cite this