skip to main content
10.1145/3530019.3531338acmotherconferencesArticle/Chapter ViewAbstractPublication PageseaseConference Proceedingsconference-collections
research-article

EVSec: An Approach to Extract and Visualize Security Scenarios from System Logs

Published: 13 June 2022 Publication History

Abstract

Logs, a.k.a. execution traces, provide a glimpse into the functionalities of running systems that have poor, incomplete, or outdated documentation. Logs contain a rich amount of information that can be used to facilitate troubleshooting/debugging, track events, detect security breaches, maintain regulatory requirements, and profile user behavior and workload. Driven by the growing complexity of today’s software platforms, reverse engineering of high-level models from system logs has gained momentum in recent years. In this paper, we introduce EVSec, an approach to extract and visualize security scenarios from system logs. The collected logs are first merged, filtered, labeled, and segmented into execution phases. The resulting phases are then visualized using the ITU-T standard, Use Case Maps (UCM) notation, extended with security annotations. We show the applicability of our proposed EVSec approach using two real-world security features, namely, Cisco IOS Login block and Cisco Unicast Reverse Path Forwarding (uRPF).

References

[1]
Thoms Ball. 1999. The Concept of Dynamic Analysis. SIGSOFT Softw. Eng. Notes 24, 6 (Oct. 1999), 216–234. https://doi.org/10.1145/318774.318944
[2]
Len Bass, Paul Clements, and Rick Kazman. 2012. Software Architecture in Practice(3rd ed.). Addison-Wesley Professional.
[3]
Cisco Systems. 2004. Internetworking Technologies Handbook. Cisco Press. http://books.google.com.sa/books?id=3Dn9KlIVM_EC
[4]
Cisco Systems. 2011. Unicast Reverse Path Forwarding Concepts and Configuration. https://www.ciscopress.com/articles/article.asp?p=1725270 Last accessed, Feb 2022.
[5]
GNS3 Technologies Inc.2021. Graphical Network Simulator, GNS3. http://www.gns3.com/ Last accessed, December 2021.
[6]
John Haggerty and Thomas Hughes-Roberts. 2014. Visualization of System Log Files for Post-incident Analysis and Response. In Human Aspects of Information Security, Privacy, and Trust(LNCS, Vol. 8533), Theo Tryfonas and Ioannis G. Askoxylakis (Eds.). Springer, 23–32. https://doi.org/10.1007/978-3-319-07620-1_3
[7]
Jameleddine Hassine. 2015. Describing and assessing availability requirements in the early stages of system development. Softw. Syst. Model. 14, 4 (2015), 1455–1479. https://doi.org/10.1007/s10270-013-0382-0
[8]
Jameleddine Hassine and Abdelwahab Hamou-Lhadj. 2014. Toward a UCM-Based Approach for Recovering System Availability Requirements from Execution Traces. In System Analysis and Modeling: Models and Reusability - 8th International Conference, SAM 2014, Valencia, Spain, September 29-30, 2014. Proceedings(Lecture Notes in Computer Science, Vol. 8769). Springer, 48–63. https://doi.org/10.1007/978-3-319-11743-0_4
[9]
Jameleddine Hassine and Abdelwahab Hamou-Lhadj. 2015. Describing Early Security Requirements Using Use Case Maps. In 17th International SDL Forum, Berlin, Germany, October 12-14, 2015, Proceedings. Springer, 202–217. https://doi.org/10.1007/978-3-319-24912-4_15
[10]
Jameleddine Hassine, Abdelwahab Hamou-Lhadj, and Luay Alawneh. 2018. A framework for the recovery and visualization of system availability scenarios from execution traces. Inf. Softw. Technol. 96(2018), 78–93. https://doi.org/10.1016/j.infsof.2017.11.007
[11]
IBM Security. 2020. Cost of a Data Breach Report 2020. https://www.ibm.com/security/digital-assets/cost-data-breach-report/1Cost%20of%20a%20Data%20Breach%20Report%202020.pdf Last accessed, Dec 2021.
[12]
ITU-T. 2018. Recommendation Z.151 (10/18), User Requirements Notation (URN) Language Definition, Geneva, Switzerland. http://www.itu.int/rec/T-REC-Z.151/en
[13]
jUCMNav v7.0.0. 2016. jUCMNav Project (tool, documentation, and meta-model). http://softwareengineering.ca/jucmnav
[14]
Steven P. Reiss. 2006. Visualizing Program Execution Using User Abstractions. In Proceedings of the 2006 ACM Symposium on Software Visualization (Brighton, United Kingdom) (SoftVis ’06). ACM, New York, NY, USA, 125–134. https://doi.org/10.1145/1148493.1148512
[15]
Jan Svacina, Jackson Raffety, Connor Woodahl, Brooklynn Stone, Tomás Cerný, Miroslav Bures, Dongwan Shin, Karel Frajták, and Pavel Tisnovsky. 2020. On Vulnerability and Security Log analysis: A Systematic Literature Review on Recent Trends. In RACS ’20: International Conference on Research in Adaptive and Convergent Systems, Gwangju, Korea, October 13-16, 2020, Tomás Cerný and Juw Won Park (Eds.). ACM, 175–180. https://doi.org/10.1145/3400286.3418261
[16]
Sheldon Teelink and Robert F. Erbacher. 2006. Improving the Computer Forensic Analysis Process Through Visualization. Commun. ACM 49, 2 (Feb. 2006), 71–75. https://doi.org/10.1145/1113034.1113073
[17]
Andy Zaidman. 2006. Scalability Solutions for Program Comprehension Through Dynamic Analysis. In Proceedings of the Conference on Software Maintenance and Reengineering(CSMR ’06). IEEE Computer Society, Washington, DC, USA, 327–330. http://dl.acm.org/citation.cfm?id=1116163.1116422
[18]
Yanping Zhang, Yang Xiao, Min Chen, Jingyuan Zhang, and Hongmei Deng. 2012. A survey of security visualization for computer network logs. Secur. Commun. Networks 5, 4 (2012), 404–421. https://doi.org/10.1002/sec.324

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering
June 2022
466 pages
ISBN:9781450396134
DOI:10.1145/3530019
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Cisco security features
  2. Logs
  3. Use Case Maps (UCM)
  4. extraction
  5. filtering
  6. security scenarios
  7. visualization

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

EASE 2022

Acceptance Rates

Overall Acceptance Rate 71 of 232 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 49
    Total Downloads
  • Downloads (Last 12 months)12
  • Downloads (Last 6 weeks)3
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media