Automated intrusion recovery for web applications

Thesis (Ph. D.)--Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2013.Cataloged from PDF version of thesis.Includes bibliographical references (pages 93-97).In this dissertation, we develop recovery techniques for web applications and demonstrate that automated recovery from intrusions and user mistakes is practical as well as effective. Web applications play a critical role in users' lives today, making them an attractive target for attackers. New vulnerabilities are routinely found in web application software, and even if the software is bug-free, administrators may make security mistakes such as misconfiguring permissions; these bugs and mistakes virtually guarantee that every application will eventually be compromised. To clean up after a successful attack, administrators need to find its entry point, track down its effects, and undo the attack's corruptions while preserving legitimate changes. Today this is all done manually, which results in days of wasted effort with no guarantee that all traces of the attack have been found or that no legitimate changes were lost. To address this problem, we propose that automated intrusion recovery should be an integral part of web application platforms. This work develops several ideas-retroactive patching, automated UI replay, dependency tracking, patch-based auditing, and distributed repair-that together recover from past attacks that exploited a vulnerability, by retroactively fixing the vulnerability and repairing the system state to make it appear as if the vulnerability never existed. Repair tracks down and reverts effects of the attack on other users within the same application and on other applications, while preserving legitimate changes. Using techniques resulting from these ideas, an administrator can easily recover from past attacks that exploited a bug using nothing more than a patch fixing the bug, with no manual effort on her part to find the attack or track its effects. The same techniques can also recover from attacks that exploit past configuration mistakes-the administrator only has to point out the past request that resulted in the mistake. We built three prototype systems, WARP, POIROT, and AIRE, to explore these ideas. Using these systems, we demonstrate that we can recover from challenging attacks in real distributed web applications with little or no changes to application source code; that recovery time is a fraction of the original execution time for attacks with a few affected requests; and that support for recovery adds modest runtime overhead during the application's normal operation.by Ramesh Chandra.Ph.D

On the use of domain knowledge for process model repair

Process models are important for supporting organizations in documenting, understanding and monitoring their business. When these process models become outdated, they need to be revised to accurately describe the new status quo of the processes in the organization. Process model repair techniques help at automatically revising the existing model from behavior traced in event logs. So far, such techniques have focused on identifying which parts of the model to change and how to change them, but they do not use knowledge from practitioners to inform the revision. As a consequence, fragments of the model may change in a way that defies existing regulations or represents outdated information that was wrongly considered from the event log. This paper uses concepts from theory revision to provide formal foundations for process model repair that exploits domain knowledge. Specifically, it conceptualizes (1) what are unchangeable fragments in the model and (2) the role that various traces in the event log should play when it comes to model repair. A scenario of use is presented that demonstrates the benefits of this conceptualization. The current state of existing process model repair techniques is compared against the proposed concepts. The results show that only two existing techniques partially consider the concepts presented in this paper for model repair.Peer Reviewe

Knowledge-Intensive Processes: Characteristics, Requirements and Analysis of Contemporary Approaches

Engineering of knowledge-intensive processes (KiPs) is far from being mastered, since they are genuinely knowledge- and data-centric, and require substantial flexibility, at both design- and run-time. In this work, starting from a scientific literature analysis in the area of KiPs and from three real-world domains and application scenarios, we provide a precise characterization of KiPs. Furthermore, we devise some general requirements related to KiPs management and execution. Such requirements contribute to the definition of an evaluation framework to assess current system support for KiPs. To this end, we present a critical analysis on a number of existing process-oriented approaches by discussing their efficacy against the requirements

Turning Logs into Lumber: Preprocessing Tasks in Process Mining

Event logs are invaluable for conducting process mining projects, offering insights into process improvement and data-driven decision-making. However, data quality issues affect the correctness and trustworthiness of these insights, making preprocessing tasks a necessity. Despite the recognized importance, the execution of preprocessing tasks remains ad-hoc, lacking support. This paper presents a systematic literature review that establishes a comprehensive repository of preprocessing tasks and their usage in case studies. We identify six high-level and 20 low-level preprocessing tasks in case studies. Log filtering, transformation, and abstraction are commonly used, while log enriching, integration, and reduction are less frequent. These results can be considered a first step in contributing to more structured, transparent event log preprocessing, enhancing process mining reliability.Comment: Accepted by EdbA'23 workshop, co-located with ICPM 202

PROCESS MODELS DISCOVERY AND TRACES CLASSIFICATION: A FUZZY-BPMN MINING APPROACH.

The discovery of useful or worthwhile process models must be performed with due regards to the transformation that needs to be achieved. The blend of the data representations (i.e data mining) and process modelling methods, often allied to the field of Process Mining (PM), has proven to be effective in the process analysis of the event logs readily available in many organisations information systems. Moreover, the Process Discovery has been lately seen as the most important and most visible intellectual challenge related to the process mining. The method involves automatic construction of process models from event logs about any domain process, and describes causal dependencies between the various activities as performed within the process execution environment. In principle, one can use process discovery to obtain process models that describes reality. To this end, the work in this artcle presents a Fuzzy-BPMN mining approach that uses training events log representing 10 different real-time business process executions to provide a method for discovery of useful process models, and then cross-validating the derived models with a set of test event logs in order to measure the accuracy and performance of the employed approach. The method focuses on carrying out a classification task to determine the traces, i.e. individual cases that makes up the test event logs in order to determine which traces that can be replayed by the original model. Thus, the paper aim is to provide a technique for process models discovery which is as good in balancing between “overfitting” and “underfitting” as it is able to correctly classify the traces that can be replayed (i.e allowed) or non-replayable (disallowed) by the model. In other words, the study shows through the Fuzzy-BPMN replaying notation and the series of validation experiments - how given any classified trace (for the test events log) and discovered process model (the training log) it can be unambiguously determined whether or not the traces found can be replayed on the discovered model

Process Mining Handbook

This is an open access book. This book comprises all the single courses given as part of the First Summer School on Process Mining, PMSS 2022, which was held in Aachen, Germany, during July 4-8, 2022. This volume contains 17 chapters organized into the following topical sections: Introduction; process discovery; conformance checking; data preprocessing; process enhancement and monitoring; assorted process mining topics; industrial perspective and applications; and closing

Making intelligent systems team players: Overview for designers

This report is a guide and companion to the NASA Technical Memorandum 104738, 'Making Intelligent Systems Team Players,' Volumes 1 and 2. The first two volumes of this Technical Memorandum provide comprehensive guidance to designers of intelligent systems for real-time fault management of space systems, with the objective of achieving more effective human interaction. This report provides an analysis of the material discussed in the Technical Memorandum. It clarifies what it means for an intelligent system to be a team player, and how such systems are designed. It identifies significant intelligent system design problems and their impacts on reliability and usability. Where common design practice is not effective in solving these problems, we make recommendations for these situations. In this report, we summarize the main points in the Technical Memorandum and identify where to look for further information

Icarus: a cloud security perspective

Dissertação de mestrado integrado em Informatics EngineeringIncreasingly, cloud computing is used because of its significant advantages. However, this use can increase risk, as the solutions are not in the organizations’ infrastructure but in an external perimeter. This thesis presents a study of cloud security in which an agnostic reference architecture is developed for any cloud service provider. The three most used providers are also compared in order to materialize the architecture and make a proof of concept. The solution presented was based on the controls in Annex A of ISO 27001 (information security) and aimed to minimize the increased risk of applications hosted in the cloud as much as possible and speed up the process of any need to obtain ISO 27001 certification.Cada vez mais, a computação em nuvem é utilizada devido às suas grandes vantagens. No entanto, esta utilização pode vir com um risco acrescido, pois as soluções não estão nas infraestruturas das organizações mas, sim num perímetro externo. Esta tese apresenta um estudo de segurança na nuvem em que é desenvolvida uma arquitectura de referencia agnóstica a qualquer prestador de computação em nuvem. São comparados também os três prestadores mais utilizados a fim de materializar a arquitectura e fazer uma prova de conceito. A solução apresentada foi baseada nos controlos do anexo A do ISO 27001 (segurança da informação) e tem como objetivo minimizar ao máximo o risco acrescido das aplicações hospedadas na nuvem e acelerar o processo de eventual necessidade de obter a certificação do ISO 27001