A Smell of Orchids

  • Authors:

  • Jean Goubault-Larrecq;Julien Olivain

  • Affiliations:

  • LSV, ENS Cachan, CNRS, INRIA LSV, Cachan Cedex, F-94235;LSV, ENS Cachan, CNRS, INRIA LSV, Cachan Cedex, F-94235 and Above Security, Québec, Canada J7H 1N8

  • Venue:
  • Runtime Verification
  • Year:
  • 2008

Quantified Score

Hi-index 0.01

Visualization

Abstract

Orchids is an intrusion detection tool based on techniques for fast, on-line model-checking. Orchids detects complex, correlated strands of events with very low overhead in practice, although its detection algorithm has worst-case exponential time complexity. The purpose of this paper is twofold. First, we explain the salient features of the basic model-checking algorithm in an intuitive way, as a form of dynamically-spawned monitors. One distinctive feature of the Orchids algorithm is that fresh monitors need to be spawned at a possibly alarming rate. The second goal of this paper is therefore to explain how we tame the complexity of the procedure, using abstract interpretation techniques to safely kill useless monitors. This includes monitors which will provably detect nothing, but also monitors that are subsumed by others, in the sense that they will definitely fail the so-called shortest run criterion. We take the opportunity to show how the Orchids algorithm maintains its monitors sorted in such a way that the subsumption operation is effected with no overhead, and we correct a small, but definitely annoying bug in its core algorithm, as it was published in 2001.