Pattern and Policy Driven Log Analysis for Software Monitoring

The component-based nature of large industrial software systems that consist of a number of diverse collaborating applications, pose significant challenges with respect to system maintenance, monitoring, auditing, and diagnosing. In this context, a monitoring and diagnostic system interprets log data to recognize patterns of significant events that conform to specific threat models. Threat models have been used by the software industry for analyzing and documenting a systempsilas risks in order to understand a systempsilas threat profile. In this paper, we propose a framework whereby patterns of significant events are represented as expressions of a specialized monitoring language that are used to annotate specific threat models. An approximate matching technique that is based on the Viterbi algorithm is then used to identify whether system generated events, fit the given patterns. The technique has been applied and evaluated considering threat models and monitoring policies in logs that have been obtained from multi-user MS-Windows based systems.