Log auditing through model-checking

M. Roger, J. Goubault-Larrecq
Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001.  
Log auditing is a basic intrusion detection mechanism, whereby attacks are detected by uncovering matches of sequences of events against signatures. We argue that this is naturally expressed as a modelchecking problem against linear Kripke models. A variant of the classic linear time temporal logic of Manna and Pnueli with first-order variables is first investigated in this framework. But this logic is in dire need of refinement, as far as expressiveness and efficiency are concerned. We
more » ... e propose a second, less standard logic consisting of flat, Wolper-style linear-time formulae. We describe an efficient on-line algorithm, making the approach attractive for complex log auditing tasks. We also present a few optimizations that the use of a formal semantics affords us.
doi:10.1109/csfw.2001.930148 dblp:conf/csfw/RogerG01 fatcat:5sw3collmnaulhnopzhnl76sm4