Auditing with incomplete logs

Umbreen Sabir Mian, Jeremy den Hartog, Sandro Etalle, Nicola Zannone

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    47 Downloads (Pure)


    The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy en-forcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users’ activities to prove confor-mity to policies and detect policy violations when a valid explanation of confor-mity does not exist. However, existing auditing solutions require that the infor-mation necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users’ activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in find-ing a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of con-formity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated.
    Original languageUndefined
    Title of host publicationProceedings of the 3rd Workshop on Hot Issues in Security Principles and Trust 2015
    Place of PublicationEindhoven
    PublisherTechnische Universiteit Eindhoven
    Number of pages23
    ISBN (Print)not assigned
    Publication statusPublished - 18 Apr 2015
    Event3rd Workshop on Hot Issues in Security Principles and Trust, HotSpot 2015 - London, United Kingdom
    Duration: 18 Apr 201518 Apr 2015
    Conference number: 3

    Publication series

    PublisherTechnische Universiteit Eindhoven


    Conference3rd Workshop on Hot Issues in Security Principles and Trust, HotSpot 2015
    Abbreviated titleHotSpot
    Country/TerritoryUnited Kingdom
    Internet address


    • SCS-Cybersecurity
    • Policy Compliance
    • EWI-27119
    • IR-101054
    • Abductive Reasoning
    • METIS-318482
    • Abduction

    Cite this