Retroactive Parametrized Monitoring

TL;DR

This paper introduces retroactive dynamic parametrization, a novel online monitoring technique enabling monitors to revisit past logs and incorporate new information, enhancing detection capabilities such as identifying network denial of service attacks.

Contribution

It presents a new method allowing online monitors to retroactively analyze past logs and adapt to new insights, bridging the gap between online and offline monitoring.

Findings

Enables monitors to revisit past logs during online execution

Supports incorporation of new monitors into running systems

Demonstrated effectiveness in detecting network attacks

Abstract

In online monitoring, we first synthesize a monitor from a formal specification, which later runs in tandem with the system under study, incrementally receiving its progress and evolving with the system. In offline monitoring the trace is logged as the system progresses to later do post-mortem analysis after the system has finished executing. In this paper we propose retroactive dynamic parametrization, a technique that allows a monitor to revisit the past log as it progresses, while still executing in an online manner. This feature allows new monitors to be incorporated into a running system and to revisit the past for particular behaviors based on new information discovered. Retroactive parametrization also allows a monitor to lazily ignore events and revisit and process them later, when it discovers that it should have followed those events. We showcase the use of retroactive dynamic parametrization to monitor denial of service attacks on a network using network logs.