Sample Log Analysis in E&A - A Legal Framework



Similar documents
Definitions of Logical Causality for Log Analysis


Constructing a Stable and Verifiable Computer Forensic System

Using PI to Exchange PGP Encrypted Files in a B2B Scenario

Specification and Analysis of Contracts Lecture 1 Introduction

Process Document Student Self-Service: Making Credit Card Payments. Making Credit Card Payments. Concept

Appendix 1 Assumptions and results of scenarios in the financial sensitivity model

Software Active Online Monitoring Under. Anticipatory Semantics

Correlational Research

LEARNING MANAGEMENT SYSTEM MANAGER GUIDE

Technical support terms and conditions

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Accountability by Design for Privacy

Certification of a Scade 6 compiler

Industrial Challenges for Content-Based Image Retrieval

YOUR GUIDE TO THE iphone MOBILE APP WITH 1st SOURCE

Liability and Privacy Issues in Business

E10: Controlled Experiments

Two Flavors in Automated Software Repair: Rigid Repair and Plastic Repair

Fabio Patrizi DIS Sapienza - University of Rome

Static Taint-Analysis on Binary Executables

Data Warehouse / MIS Testing: Corporate Information Factory

BANK RECONCILIATION 08 MAY 2014

The following are two things that cannot be done with a lead until it has been converted to a prospect or account:

Information Security Risk Management

ACH Internal Control Questionnaire

StreamServe Persuasion SP5 Upgrading instructions

HYPOTHESIS TESTING WITH SPSS:

(30 September December 2010) SHORT-TERM INSURANCE ACT 53 OF 1998

General Purpose Database Summarization

From Workflow Design Patterns to Logical Specifications

3. The aim of this enhanced service in 2013/14 is to establish patient online access to GP practice information systems as follows:

Software Engineering

Recap. Lecture 6. Recap. Jiri Novak, IES UK 1. Accounts Receivable. 6.1 Accounts Receivable

2 business days from the date of K-Cyber Invest registration.

Can SAS Enterprise Guide do all of that, with no programming required? Yes, it can.

BACKING UP A DATABASE

Business Process Modeling

Case 1:13-cv RPM Document 23 Filed 02/18/14 USDC Colorado Page 1 of 9

Case studies: Outline. Requirement Engineering. Case Study: Automated Banking System. UML and Case Studies ITNP090 - Object Oriented Software Design

Unified Static and Runtime Verification of Object-Oriented Software

Course 10777A: Implementing a Data Warehouse with Microsoft SQL Server 2012

Electronic Ticket System

GENERAL TERMS AND CONDITIONS OF SALE AND USE OF THE DREAMJET WEBSITE

IBM BPM V8.5 Standard Consistent Document Managment

Implementing a Data Warehouse with Microsoft SQL Server 2012

Model Based Testing for Security Checking. Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007

Semarchy Convergence for MDM The Next Generation Evolutionary MDM Platform

Federal Judicial Center, District Court Case-Weighting Study. Appendix V. Data-Cleaning Process

Harmless Advice. Daniel S Dantas Princeton University. with David Walker

DYNAMIC FUZZY PATTERN RECOGNITION WITH APPLICATIONS TO FINANCE AND ENGINEERING LARISA ANGSTENBERGER

Science, Technology, Engineering & Mathematics Career Cluster

East Asia Network Sdn Bhd

Formal Modelling and Verification of an Asynchronous Extension of SOAP

Vision Document Airline Reservation System

Implementing a Data Warehouse with Microsoft SQL Server 2012

REQUEST FOR PROPOSAL: A NEW AUDITING SOLUTION FOR WINDOWS FILE AND DATABASE SERVERS

CRISP-DM: The life cicle of a data mining project. KDD Process

BENEFITS OF MODELING WITH A FORMAL LANGUAGE. Emmanuel Gaudin emmanuel.gaudin@pramadev.com

6 Project Planning Matrix (PPM) - Overview (in brief)

A science-gateway workload archive application to the self-healing of workflow incidents

Course Outline. Module 1: Introduction to Data Warehousing

360-FAAR Firewall Analysis, Audit, Repair

The Road from Software Testing to Theorem Proving

1 - General. 2 - Orders

COURSE 20463C: IMPLEMENTING A DATA WAREHOUSE WITH MICROSOFT SQL SERVER

Implementing a Data Warehouse with Microsoft SQL Server

Architectural Patterns: From Mud to Structure

ascom Technical White Paper Series Framework for Automatic Fare Collection Systems

ORACLE ENTERPRISE DATA QUALITY PRODUCT FAMILY

Advanced Software Engineering ( -Formal specification, verification, transformation, and application-

Time Matters and Billing Matters User Guide

Online Backup Client Release Notes

Requirement engineering Exercise the POS System solution

Online credit/debit card processing with RBS WorldPay

High Availability for Microsoft Servers

NAB EFTPOS User Guide. for Countertop & Mobile Terminals

Log Design for Accountability

SCATS SALES AND CUSTOMER TRACKING SYSTEM SOFTWARE REQUIREMENTS SPECIFICATION VERSION: FINAL 1.0

Help-Operational Guidelines for Online RE-11 & RE-12. Step 1 : Open URL from website Go to Click on Link1 or Link2

Data Analysis Process Is A Multi Risk Process. EuroCACS 2013 Session 211

OnSite: Support and Software Maintenance

SCORE An Overview. State of Colorado Registration and Election Management

Mortgage Broker Qualifying Standards (MBQS)

Expert Systems. A knowledge-based approach to intelligent systems. Intelligent System. Motivation. Approaches & Ingredients. Terminology.

Simulating Investment Portfolios

Business Rules. Capitation-based funding. Version 3.9

Software Engineering Reference Framework

An Oracle White Paper February Real-time Data Warehousing with ODI-EE Changed Data Capture

Actuarial Guidance Note 9: Best Estimate Assumptions

Oracle Insurance Policy Administration System Quality Assurance Testing Methodology. An Oracle White Paper August 2008

Wrestling with Python Unit testing. Warren Viant

ETL-EXTRACT, TRANSFORM & LOAD TESTING

Blue Cannon Lead Generation for IFA s

Pragmatic theories 1/15/2010 CHAPTER 2 ACCOUNTING THEORY CONSTRUCTION. Descriptive pragmatic approach: Criticisms of descriptive pragmatic approach:

Working with Expedia. Managing Hotel Collect Reservations

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

Implement a Data Warehouse with Microsoft SQL Server 20463C; 5 days

Software Test Plan (STP) Template

Transcription:

A Formal Framework for Specifying and Analyzing Logs as Electronic Evidence Eduardo Mazza 1, Marie-Laure Potet 1, Daniel Le Métayer 2 LISE Project Funded by the Agence Nationale de la Recherce (ANR-07-SESU-00) (1) Verimag, Grenoble, France (2) INRIA, Grenoble Rhône-Alpes, France

Motivation Challenge: to precise legal liability for software Log as digital evidence More and more necessary PROBLEM Actual solutions that define liability are not focused in logs as digital evidence Works in log analysis show little concern in liability Proposal An integrated framework for precisely defining liability and log content as electronic evidence Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 2 / 26

Outline Introduction Logs & Claims Log Functions Log Analyzer Conclusion Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 3 / 26

Introduction LISE Project Contract based environment Legal aspects studied in previous works [ICSE 2010] Context: FAULTS CLAIMS LIABILITY Two or more agents signing a legal contract to precise liability for potential claims Contract agreement between the agents Requirements Description of application Claims taken into account covered by the contract Evidence agreement Log content and architecture Log Analyzer Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 4 / 26

LISE Approach Two phases Contractual requirements and evidence agreement Analysis - when claims appear Contractual Phase Analysis Phase Generic model Use of the B-method focus on data and behaviour Log Analyzer (attachment in contract) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 5 / 26

Assumptions & Key Concepts Distributed system distributed logs Information spread along multiple log files Communication between agents by message exchange Well adapted for B2B applications Logs are grouped by agents A single log file may contain the information of many agents Incremental Analysis would be an advantage Claims may be analyzed in a partial setting of the distributed system Not always possible to immediately obtain all logs Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 6 / 26

Outline Introduction Logs & Claims Log Functions Log Analyzer Conclusion Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 7 / 26

Logs How to represent logs? Generic model supporting distributed logs Hypothesis: preserved causality, no loss, no duplication System specification AGENT ACTION Interface : ACTION AGENT Logs and log distributions Event: (Send Rec, AGENT, AGENT, ACTION) Log file: F(AGENT ) iseq(events) Distribution: F(F(AGENT )) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 8 / 26

Example of Logs System Specification Possible log distributions {Client}, {Agency}, {Bank}, {Hotel} {Client, Agency}, {Bank}, {Hotel} Possible logs: ({Client, Agency}, [Request Send, Request Rec,... ]) ({Hotel}, [Book Rec, Cancel Rec,... ]) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 9 / 26

Claims How to represent the claims? Logs that are concerned by the claim (agents) A precise characterization when the claim is accepted (log property) A claim consists of: A plaintiff (the complaining agent) A defendant A log property If the property holds, then the agent defendant is responsible. Claim: (AGENT AGENT PROP) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 10 / 26

Properties Property: F(AGENT ) (LOG FILE BOOL) Distributed setting property for partial distribution 1 Agents concerned with this property Information needed to verify a property 2 Partial function (w.r.t. agents) that maps a log file to TRUE or FALSE IMPORTANT: agents of the property = agents of the log evaluated Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 11 / 26

Example of Claims (claim NoRoom) Client requests a reservation and is charged but there is no reservation: Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 12 / 26

Example of Claims (claim NoRoom) Client requests a reservation and is charged but there is no reservation: 1 NoRoom CLAIM NoRoom = (Client, Agency, prop NoRoom ) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 12 / 26

Example of Claims (claim NoRoom) Client requests a reservation and is charged but there is no reservation: 1 NoRoom CLAIM NoRoom = (Client, Agency, prop NoRoom ) 2 agents(prop NoRoom ) = {Client, Agency} Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 12 / 26

Example of Claims (claim NoRoom) Client requests a reservation and is charged but there is no reservation: 1 NoRoom CLAIM NoRoom = (Client, Agency, prop NoRoom ) 2 agents(prop NoRoom ) = {Client, Agency} 3 val(prop NoRoom ) = λ log.(agents(log) = {Client, Agency} Request Send events(log) Debit Send events(log) Book Send events(log) pos(request Send, log) < pos(debit Send, log)) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 12 / 26

Example of Claims (claim NoRoom) Client requests a reservation and is charged but there is no reservation: 1 NoRoom CLAIM NoRoom = (Client, Agency, prop NoRoom ) 2 agents(prop NoRoom ) = {Client, Agency} 3 val(prop NoRoom ) = λ log.(agents(log) = {Client, Agency} Request Send events(log) Debit Send events(log) Book Send events(log) pos(request Send, log) < pos(debit Send, log)) Client Agency Bank Hotel Request Justify Debit Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 12 / 26

Outline Introduction Logs & Claims Log Functions Log Analyzer Conclusion Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 13 / 26

Log Functions Motivation: Manipulate distributed logs w.r.t. concerned agents Log functions: extract - obtain events in a log concerning a given group of agents merge - provide the set of logs that respect the causal order of events Several possible scenarios Property: extract ags [merge[logs]] merge[extract ags [logs]] Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 14 / 26

Example of merge Client Request Agency Cancel log Client log Agency merge[log Client, log Agency ] = {log 1, log 2 } log 1 = ({Client, Agency}, [Request Send, Request Rec, Cancel Send ]) log 2 = ({Client, Agency}, [Request Send, Cancel Send, Request Rec ]) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 15 / 26

Outline Introduction Logs & Claims Log Functions Log Analyzer Conclusion Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 16 / 26

Analyzing a claim How to establish if a claims should be accepted or rejected? Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 17 / 26

Analyzing a claim How to establish if a claims should be accepted or rejected? 1 For a given claim (Plain, Def, Prop) select certain logs that have the information required by Prop (agents(prop) agents(logs)) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 17 / 26

Analyzing a claim How to establish if a claims should be accepted or rejected? 1 For a given claim (Plain, Def, Prop) select certain logs that have the information required by Prop (agents(prop) agents(logs)) 2 Merge the selected log files Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 17 / 26

Analyzing a claim How to establish if a claims should be accepted or rejected? 1 For a given claim (Plain, Def, Prop) select certain logs that have the information required by Prop (agents(prop) agents(logs)) 2 Merge the selected log files 3 Extract the information required by Prop (agents(prop)) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 17 / 26

Analyzing a claim How to establish if a claims should be accepted or rejected? 1 For a given claim (Plain, Def, Prop) select certain logs that have the information required by Prop (agents(prop) agents(logs)) 2 Merge the selected log files 3 Extract the information required by Prop (agents(prop)) 4 Compute the possible set of scenarios where Prop holds. Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 17 / 26

Analyzing a claim How to establish if a claims should be accepted or rejected? 1 For a given claim (Plain, Def, Prop) select certain logs that have the information required by Prop (agents(prop) agents(logs)) 2 Merge the selected log files 3 Extract the information required by Prop (agents(prop)) 4 Compute the possible set of scenarios where Prop holds. 5 Interpretation of the results by the judge Two results: Set of all scenarios Set of scenarios where property hold (I) Conclude the investigation accept or reject a claim (II) More data needed Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 17 / 26

Log Analyzer Log Analyzer: tool that computes the two results to be interpreted INPUT: logs: set of logs prop: property OUTPUT: scen: all possible scenarios ok: scenarios where the property holds scen, ok Analysis(logs, prop) PRE agents(prop) agents(logs) THEN scen := extract agents(prop) [merge[logs]]; ok := scen val(prop) 1 [{TRUE}] END Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 18 / 26

Interpreting the results Depending of the values for scen, ok: Inconclusive results results are not enough to provide the intuition for accepting or rejecting a claim A fine study may be necessary. (incremental analysis) Some definitive conclusive results situations: if scen = ok then claim is accepted if ok = then claim is rejected Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 19 / 26

Example of analysis - claim NoRoom (paper Example 8) Client Agency Bank Hotel Request Justify Debit Agency wants to verify if the claim is valid without using Bank s log Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 20 / 26

Example of analysis - claim NoRoom (paper Example 8) Client Agency Bank Hotel Request Justify Debit Agency wants to verify if the claim is valid without using Bank s log 3 scenarios: Request Send, Request Rec, Debit Send, Justify Rec Request Send, Request Rec, Justify Rec, Debit Send Request Send, Justify Rec, Request Rec, Debit Send scen = ok claim accepted Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 20 / 26

Incremental analysis Inconclusive results may demand more logs to be analyzed Previous results may help in the computation of the new analysis scen, ok Analysis(logs logs, prop) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 21 / 26

Incremental analysis Inconclusive results may demand more logs to be analyzed Previous results may help in the computation of the new analysis scen, ok Analysis(logs logs, prop) Incremental calculus Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 21 / 26

Incremental analysis Inconclusive results may demand more logs to be analyzed Previous results may help in the computation of the new analysis scen, ok Analysis(logs logs, prop) Incremental calculus 1 Compute scen, ok Analysis(logs, prop) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 21 / 26

Incremental analysis Inconclusive results may demand more logs to be analyzed Previous results may help in the computation of the new analysis scen, ok Analysis(logs logs, prop) Incremental calculus 1 Compute scen, ok Analysis(logs, prop) 2 iscen, iok IncrAnalysis(logs, prop, scen, ok) iscen := extract[merge[logs scen]] iok := extract[merge[logs ok]] ADVANTAGE: No need to verify the property again ok iok ok scen iscen scen Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 21 / 26

Example of incremental Analysis (paper Example 9) (claim LateCancel) Client complain that was charged for a reservation that had been canceled prop LateCancel : agents(prop LateCancel ) = {Client, Agency} Debit Send events(log) Cancel Send events(log) pos(cancel Send, log) < pos(debit Send, log) Client Agency Bank Hotel Request Confirm Justify Debit Cancel Book CancelDebit Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 22 / 26

First analysis Client Agency Bank Hotel Request Confirm Justify Debit Cancel Book CancelDebit scen with 20 scenarios ok with 10 scenarios Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 23 / 26

Second analysis (incremental) Client Agency Bank Hotel Request Justify Confirm Debit Cancel Book CancelDebit scen with 3 scenarios ok = claim rejected (without property verification!) Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 24 / 26

Outline Introduction Logs & Claims Log Functions Log Analyzer Conclusion Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 25 / 26

Conclusion Contributions: General framework to precisely decribe claims in terms of logs Specification of a Log Analyzer tool Study of incremental aspects over the acceptability of claims Future works: Parametrized claims and properties Integration with previous works Analysis of log architecture [SEFM 2010] Help adding logs for incremental analysis Formal definition of liability When should a claim be accepted Claim with multiples responsible agents Mazza, Potet, Le Métayer (LISE Project) SBMF 2010 26 / 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information