Auditing with incomplete logs

U.S. Mian; J.I. Hartog, den; S. Etalle; N. Zannone

Auditing with incomplete logs

U.S. Mian, J.I. Hartog, den, S. Etalle, N. Zannone

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

66 Downloads (Pure)

Abstract

The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy enforcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users’ activities to prove conformity to policies and detect policy violations when a valid explanation of conformity does not exist. However, existing auditing solutions require that the information necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users’ activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in finding a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of conformity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated. Keywords: Abduction, Policy Compliance, Abductive Reasoning

Original language	English
Title of host publication	Proceedings of the 3rd Workshop on Hot Issues in Security Principles and Trust (2015, London, UK, April 18, 2015; affiliated with ETAPS 2015)
Pages	1-23
Publication status	Published - 2015
Event	3rd Workshop on Hot Issues in Security Principles and Trust (HotSpot 2015) - London, United Kingdom Duration: 18 Apr 2015 → 18 Apr 2015 Conference number: 3 http://www.lucavigano.com/HotSpot2015/

Workshop

Workshop	3rd Workshop on Hot Issues in Security Principles and Trust (HotSpot 2015)
Abbreviated title	HotSpot 2015
Country/Territory	United Kingdom
City	London
Period	18/04/15 → 18/04/15
Other	Workshop held as a satellite event of the 18th European Joint Conferences on Theory and Practice of Software (ETAPS 2015)
Internet address	http://www.lucavigano.com/HotSpot2015/

Access to Document

publishers versionFinal published version, 306 KB

Cite this

@inproceedings{205f13effd924a7e8f59f313f0ec5e02,

title = "Auditing with incomplete logs",

abstract = "The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy enforcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users{\textquoteright} activities to prove conformity to policies and detect policy violations when a valid explanation of conformity does not exist. However, existing auditing solutions require that the information necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users{\textquoteright} activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in finding a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of conformity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated. Keywords: Abduction, Policy Compliance, Abductive Reasoning",

author = "U.S. Mian and {Hartog, den}, J.I. and S. Etalle and N. Zannone",

year = "2015",

language = "English",

pages = "1--23",

booktitle = "Proceedings of the 3rd Workshop on Hot Issues in Security Principles and Trust (2015, London, UK, April 18, 2015; affiliated with ETAPS 2015)",

note = "3rd Workshop on Hot Issues in Security Principles and Trust (HotSpot 2015), HotSpot 2015 ; Conference date: 18-04-2015 Through 18-04-2015",

url = "http://www.lucavigano.com/HotSpot2015/",

}

TY - GEN

T1 - Auditing with incomplete logs

AU - Mian, U.S.

AU - Hartog, den, J.I.

AU - Etalle, S.

AU - Zannone, N.

N1 - Conference code: 3

PY - 2015

Y1 - 2015

N2 - The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy enforcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users’ activities to prove conformity to policies and detect policy violations when a valid explanation of conformity does not exist. However, existing auditing solutions require that the information necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users’ activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in finding a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of conformity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated. Keywords: Abduction, Policy Compliance, Abductive Reasoning

AB - The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy enforcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users’ activities to prove conformity to policies and detect policy violations when a valid explanation of conformity does not exist. However, existing auditing solutions require that the information necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users’ activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in finding a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of conformity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated. Keywords: Abduction, Policy Compliance, Abductive Reasoning

M3 - Conference contribution

SP - 1

EP - 23

BT - Proceedings of the 3rd Workshop on Hot Issues in Security Principles and Trust (2015, London, UK, April 18, 2015; affiliated with ETAPS 2015)

T2 - 3rd Workshop on Hot Issues in Security Principles and Trust (HotSpot 2015)

Y2 - 18 April 2015 through 18 April 2015

ER -

Auditing with incomplete logs

Abstract

Workshop

Access to Document

Fingerprint

Cite this