From Monitoring Templates to Security Monitoring and Threat Detection

This paper presents our pattern-based approach to run-time requirements monitoring and threat detection being developed as part of an approach to build frameworks supporting the construction of secure and dependable systems for ambient intelligence. Our patterns infra-structure is based on templates. From templates we generate event-calculus formulas expressing security requirements to monitor at run-time. From these theories we generate attack signatures, describing threats or possible attacks to the system. At run-time, we evaluate the likelihood of threats from run-time observations using a probabilistic model based on Bayesian networks

A Temporal Abductive Diagnostic Process for Runtime Properties Violations

Monitoring the operation of complex softare systems at runtime can detect violations of certain properties of interest but cannot always provide diagnostic information which is significant for understanding the cause of the violation and the adoption of appropriate countermeasures against it. In this paper, we describe a process for diagnosing runtime violations of security and dependability properties that we have developed as part of a general runtime monitoring framework that is based on Event Calculus. The diagnosis generation process is based on a combination of abductive, temporal and evidential reasoning over violations of system properties

Assessing the genuineness of events in runtime monitoring of cyber systems

Monitoring security properties of cyber systems at runtime is necessary if the preservation of such properties cannot be guaranteed by formal analysis of their specification. It is also necessary if the runtime interactions between their components that are distributed over different types of local and wide area networks cannot be fully analysed before putting the systems in operation. The effectiveness of runtime monitoring depends on the trustworthiness of the runtime system events, which are analysed by the monitor. In this paper, we describe an approach for assessing the trustworthiness of such events. Our approach is based on the generation of possible explanations of runtime events based on a diagnostic model of the system under surveillance using abductive reasoning, and the confirmation of the validity of such explanations and the runtime events using belief based reasoning. The assessment process that we have developed based on this approach has been implemented as part of the EVEREST runtime monitoring framework and has been evaluated in a series of simulations that are discussed in the paper

Diagnosing runtime violations of security and dependability properties

Monitoring the preservation of security and dependability (S&D) properties of complex software systems is widely accepted as a necessity. Basic monitoring can detect violations but does not always provide sufficient information for deciding what the appropriate response to a violation is. Such decisions often require additional diagnostic information that explains why a violation has occurred and can, therefore, indicate what would be an appropriate response action to it. In this thesis, we describe a diagnostic procedure for generating explanations of violations of S&D properties developed as extension of a runtime monitoring framewoek, called EVEREST. The procedure is based on a combination of abductive and evidential reasoning about violations of S&D properties which are expressed in Event Calculus

Combining SOA and BPM Technologies for Cross-System Process Automation

This paper summarizes the results of an industry case study that introduced a cross-system business process automation solution based on a combination of SOA and BPM standard technologies (i.e., BPMN, BPEL, WSDL). Besides discussing major weaknesses of the existing, custom-built, solution and comparing them against experiences with the developed prototype, the paper presents a course of action for transforming the current solution into the proposed solution. This includes a general approach, consisting of four distinct steps, as well as specific action items that are to be performed for every step. The discussion also covers language and tool support and challenges arising from the transformation

Diagnosing runtime violations of security and dependability properties

Monitoring the preservation of security and dependability (S&D) properties of complex software systems is widely accepted as a necessity. Basic monitoring can detect violations but does not always provide sufficient information for deciding what the appropriate response to a violation is. Such decisions often require additional diagnostic information that explains why a violation has occurred and can, therefore, indicate what would be an appropriate response action to it. In this thesis, we describe a diagnostic procedure for generating explanations of violations of S&D properties developed as extension of a runtime monitoring framewoek, called EVEREST. The procedure is based on a combination of abductive and evidential reasoning about violations of S&D properties which are expressed in Event Calculus.EThOS - Electronic Theses Online ServiceGBUnited Kingdo