Trace-length independent runtime monitoring of quantitative policies in LTL

Xiaoning Du; Yang Liu; Alwen Tiu

doi:10.1007/978-3-319-19249-9_15

Trace-length independent runtime monitoring of quantitative policies in LTL

Xiaoning Du, Yang Liu, Alwen Tiu

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

5 Citations (Scopus)

Abstract

Linear temporal logic (LTL) has been widely used to specify runtime policies. Traditionally this use of LTL is to capture the qualitative aspects of the monitored systems, but recent developments in metric LTL and its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in LTL-based policy languages is driven by applications in runtime Android malware detection, which requires the monitoring algorithm to be independent of the length of the system event traces so that its performance does not degrade as the traces grow. We propose a policy language based on a past-time variant of LTL, extended with an aggregate operator called the counting quantifier to specify a policy based on the number of times some sub-policies are satisfied in the past. We show that a broad class of policies, but not all policies, specified with our language can be monitored in a trace-length independent way without sacrificing completeness, and provide a concrete algorithm to do so. We implement and test our algorithm in an existing Android monitoring framework and show that our approach can effectively specify and enforce quantitative policies drawn from real-world Android malware studies.

Original language	English
Title of host publication	FM 2015: Formal Methods
Subtitle of host publication	20th International Symposium Oslo, Norway, June 24–26, 2015 Proceedings
Editors	Nikolaj Bjorner, Frank de Boer
Place of Publication	Cham Switzerland
Publisher	Springer
Pages	231-247
Number of pages	17
ISBN (Electronic)	9783319192499
ISBN (Print)	9783319192482
DOIs	https://doi.org/10.1007/978-3-319-19249-9_15
Publication status	Published - 2015
Externally published	Yes
Event	International Symposium on Formal Methods 2015 - Oslo, Norway Duration: 24 Jun 2015 → 26 Jun 2015 Conference number: 20th https://link-springer-com.ezproxy.lib.monash.edu.au/book/10.1007/978-3-319-19249-9 (Proceedings) http://fm2015.ifi.uio.no (Website)

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	9109
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	International Symposium on Formal Methods 2015
Abbreviated title	FM 2015
Country	Norway
City	Oslo
Period	24/06/15 → 26/06/15
Internet address	https://link-springer-com.ezproxy.lib.monash.edu.au/book/10.1007/978-3-319-19249-9 (Proceedings) http://fm2015.ifi.uio.no (Website)

Keywords

Policy Language
Linear Temporal Logic
Atomic Proposition
Kernel Module
Trace Length

Access to Document

10.1007/978-3-319-19249-9_15

Link to publication in Scopus

Cite this

@inproceedings{7242f91d09e849819e916d2ecde6055f,

title = "Trace-length independent runtime monitoring of quantitative policies in LTL",

abstract = "Linear temporal logic (LTL) has been widely used to specify runtime policies. Traditionally this use of LTL is to capture the qualitative aspects of the monitored systems, but recent developments in metric LTL and its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in LTL-based policy languages is driven by applications in runtime Android malware detection, which requires the monitoring algorithm to be independent of the length of the system event traces so that its performance does not degrade as the traces grow. We propose a policy language based on a past-time variant of LTL, extended with an aggregate operator called the counting quantifier to specify a policy based on the number of times some sub-policies are satisfied in the past. We show that a broad class of policies, but not all policies, specified with our language can be monitored in a trace-length independent way without sacrificing completeness, and provide a concrete algorithm to do so. We implement and test our algorithm in an existing Android monitoring framework and show that our approach can effectively specify and enforce quantitative policies drawn from real-world Android malware studies.",

keywords = "Policy Language, Linear Temporal Logic, Atomic Proposition, Kernel Module, Trace Length",

author = "Xiaoning Du and Yang Liu and Alwen Tiu",

year = "2015",

doi = "10.1007/978-3-319-19249-9_15",

language = "English",

isbn = "9783319192482",

series = "Lecture Notes in Computer Science ",

publisher = "Springer",

pages = "231--247",

editor = "Nikolaj Bjorner and {de Boer}, Frank",

booktitle = "FM 2015: Formal Methods",

note = "International Symposium on Formal Methods 2015, FM 2015 ; Conference date: 24-06-2015 Through 26-06-2015",

url = "https://link-springer-com.ezproxy.lib.monash.edu.au/book/10.1007/978-3-319-19249-9, http://fm2015.ifi.uio.no",

}

Du, X, Liu, Y & Tiu, A 2015, Trace-length independent runtime monitoring of quantitative policies in LTL. in N Bjorner & F de Boer (eds), FM 2015: Formal Methods: 20th International Symposium Oslo, Norway, June 24–26, 2015 Proceedings. Lecture Notes in Computer Science , vol. 9109, Springer, Cham Switzerland, pp. 231-247, International Symposium on Formal Methods 2015, Oslo, Norway, 24/06/15. https://doi.org/10.1007/978-3-319-19249-9_15

Trace-length independent runtime monitoring of quantitative policies in LTL. / Du, Xiaoning; Liu, Yang; Tiu, Alwen.

FM 2015: Formal Methods: 20th International Symposium Oslo, Norway, June 24–26, 2015 Proceedings. ed. / Nikolaj Bjorner; Frank de Boer. Cham Switzerland : Springer, 2015. p. 231-247 (Lecture Notes in Computer Science ; Vol. 9109).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Trace-length independent runtime monitoring of quantitative policies in LTL

AU - Du, Xiaoning

AU - Liu, Yang

AU - Tiu, Alwen

N1 - Conference code: 20th

PY - 2015

Y1 - 2015

N2 - Linear temporal logic (LTL) has been widely used to specify runtime policies. Traditionally this use of LTL is to capture the qualitative aspects of the monitored systems, but recent developments in metric LTL and its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in LTL-based policy languages is driven by applications in runtime Android malware detection, which requires the monitoring algorithm to be independent of the length of the system event traces so that its performance does not degrade as the traces grow. We propose a policy language based on a past-time variant of LTL, extended with an aggregate operator called the counting quantifier to specify a policy based on the number of times some sub-policies are satisfied in the past. We show that a broad class of policies, but not all policies, specified with our language can be monitored in a trace-length independent way without sacrificing completeness, and provide a concrete algorithm to do so. We implement and test our algorithm in an existing Android monitoring framework and show that our approach can effectively specify and enforce quantitative policies drawn from real-world Android malware studies.

AB - Linear temporal logic (LTL) has been widely used to specify runtime policies. Traditionally this use of LTL is to capture the qualitative aspects of the monitored systems, but recent developments in metric LTL and its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in LTL-based policy languages is driven by applications in runtime Android malware detection, which requires the monitoring algorithm to be independent of the length of the system event traces so that its performance does not degrade as the traces grow. We propose a policy language based on a past-time variant of LTL, extended with an aggregate operator called the counting quantifier to specify a policy based on the number of times some sub-policies are satisfied in the past. We show that a broad class of policies, but not all policies, specified with our language can be monitored in a trace-length independent way without sacrificing completeness, and provide a concrete algorithm to do so. We implement and test our algorithm in an existing Android monitoring framework and show that our approach can effectively specify and enforce quantitative policies drawn from real-world Android malware studies.

KW - Policy Language

KW - Linear Temporal Logic

KW - Atomic Proposition

KW - Kernel Module

KW - Trace Length

UR - http://www.scopus.com/inward/record.url?scp=84937394209&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-19249-9_15

DO - 10.1007/978-3-319-19249-9_15

M3 - Conference Paper

AN - SCOPUS:84937394209

SN - 9783319192482

T3 - Lecture Notes in Computer Science

SP - 231

EP - 247

BT - FM 2015: Formal Methods

A2 - Bjorner, Nikolaj

A2 - de Boer, Frank

PB - Springer

CY - Cham Switzerland

T2 - International Symposium on Formal Methods 2015

Y2 - 24 June 2015 through 26 June 2015

ER -