#### DMCA

## IEEE TRANSACTIONS ON SOFTWARE ENGINEERING (preprint) 1 Monitoring Data Usage in Distributed Systems

### Citations

2868 | Time, clocks and ordering of events in distributed systems
- Lamport
- 1978
(Show Context)
Citation Context ...logic with epistemic operators [25] that reflect the local knowledge of a process. The semantics of temporal operators in this logic is defined with respect to a partial ordering, the causal ordering =-=[26]-=- commonly used in distributed systems. Their logic therefore does not allow one to express temporal constraints on events that are not causally related. Policies are defined with respect to the local ... |

1650 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ...nd monitor this merged stream of logged actions. These system extensions are depicted in Figure 1. To express policies, we use a metric first-order temporal logic (MFOTL). In general, temporal logics =-=[12]-=- are well suited to formalize system properties and to algorithmically reason about system behavior. In particular, the standard temporal operators allow us to naturally express temporal aspects of da... |

231 |
The Book of Traces.
- Diekert
- 1995
(Show Context)
Citation Context ...n a declarative language based on Datalog. The monitored properties are translated into this language and the monitoring algorithm is executed together with the network protocols. Mazurkiewicz traces =-=[31]-=- provide an abstract view on partially ordered logs. With this view, the problem of checking whether a policy is strongly violated on a partially ordered log can be stated as checking whether all line... |

221 | Logics and models of real time: A survey.
- Alur, Henzinger
- 1992
(Show Context)
Citation Context ...ators allow us to naturally express temporal aspects of data usage policies, such as whenever a user requests the deletion of his data then the data must eventually be deleted. Metric temporal logics =-=[13]-=- associate timing constraints with temporal operators. We can thereby straightforwardly express requirements that commonly occur in data-usage policies, for example that data deletion must happen with... |

199 |
What good is temporal logic? In
- Lamport
- 1983
(Show Context)
Citation Context ...ong. Note that the formula from the example in Section 2.2 is not collapse-sufficient, but the weaker and stronger formulas from Example 4.2 are collapse-sufficient. Also note that stutter-invariance =-=[21]-=- is a necessary condition for collapsesufficiency. However, it is not a sufficient condition. For example, the formula ∀x. p(x) ∧ q(x) is stuttering-invariant but not collapse-sufficient. As with int... |

93 | Efficient checking of temporal integrity constraints using bounded history encoding,”
- Chomicki
- 1995
(Show Context)
Citation Context ...Work Various algorithms have been presented for efficiently monitoring system behavior by inspecting totally ordered logs [6]–[10]. The monitor [10], [14] used in this work extends Chomicki’s monitor =-=[22]-=- and can be directly used to monitor a single system component or a log file. A broader overview on the state of the art of monitoring distributed systems can be found in the survey by Goodloe and Pik... |

66 |
Ten years of partial order reduction.
- Peled
- 1998
(Show Context)
Citation Context ...This is independent of the timestamps of actions, whereas in our setting the possibility of reordering depends on the timestamp and not the action. Also related to our work is partial-order reduction =-=[32]-=-. Partial-order techniques aim at reducing the number of interleavings that are sufficient for checking whether a temporal property is satisfied on all possible interleavings. Partial-order reduction ... |

48 | Log Auditing Through Model Checking.
- Roger, Goubault-Larrecq
- 2001
(Show Context)
Citation Context ...ons are observed and automatically checked for compliance against a policy. Efficient monitoring algorithms have been given for this task for various policy specification languages, see, for example, =-=[5]-=-–[10]. The underlying semantic model of these languages is that the observed system actions are totally ordered. However, a total ordering is often not available. Even simple IT systems are composed o... |

47 | Detection of Global Predicates: Techniques and their Limitations
- Chase, Garg
- 1998
(Show Context)
Citation Context ...the satisfiability and validity of formulas in propositional logic, respectively, to the respective decision problem for proving its hardness. In [18], the global-predicate-detection decision problem =-=[20]-=- is used. The setting in [19] allows for arbitrary partial orders and hence could be used to describe the set of interleavings of two timestamped traces. The authors reduce the decision problem 3-SAT ... |

33 | Efficient Decentralized Monitoring of Safety in Distributed Systems.
- Sen, Vardhan, et al.
- 2004
(Show Context)
Citation Context ...y used to monitor a single system component or a log file. A broader overview on the state of the art of monitoring distributed systems can be found in the survey by Goodloe and Pike [23]. Sen et al. =-=[24]-=- present a distributed monitoring approach, where multiple monitors which communicate with each other are implemented locally. The authors use a propositional past linear-time distributed temporal log... |

30 | Formal analysis of log files - Barringer, Groce, et al. |

26 |
Foundations of Databases: The Logical Level.
- Abiteboul, Hull, et al.
- 1995
(Show Context)
Citation Context ...d every j ∈ N. Furthermore, we require that ¬ψ can be rewritten to a temporal-subformuladomain-independent formula [10], a generalization of the standard notion of domain-independent database queries =-=[17]-=-. We refer to [10] for a detailed description of the monitoring algorithm. Additional algorithmic details are also presented in Appendix A, for the sake of completeness. Note that the monitoring algor... |

24 | Runtime monitoring of metric first-order temporal properties
- Basin, Klaedtke, et al.
- 2008
(Show Context)
Citation Context ...are observed and automatically checked for compliance against a policy. Efficient monitoring algorithms have been given for this task for various policy specification languages, see, for example, [5]–=-=[10]-=-. The underlying semantic model of these languages is that the observed system actions are totally ordered. However, a total ordering is often not available. Even simple IT systems are composed of mul... |

23 | Monitoring security policies with metric first-order temporal logic - Basin, Klaedtke, et al. |

19 | O.: Checking traces for regulatory conformance
- Dinesh, Joshi, et al.
(Show Context)
Citation Context ... administrators are honest and interested in honoring the policies. 8 Related Work Various algorithms have been presented for efficiently monitoring system behavior by inspecting totally ordered logs =-=[6]-=-–[10]. The monitor [10], [14] used in this work extends Chomicki’s monitor [22] and can be directly used to monitor a single system component or a log file. A broader overview on the state of the art ... |

18 |
Local knowledge assertions in a changing world
- Ramanujam
- 1996
(Show Context)
Citation Context ...oring approach, where multiple monitors which communicate with each other are implemented locally. The authors use a propositional past linear-time distributed temporal logic with epistemic operators =-=[25]-=- that reflect the local knowledge of a process. The semantics of temporal operators in this logic is defined with respect to a partial ordering, the causal ordering [26] commonly used in distributed s... |

15 | Model-based runtime analysis of distributed reactive systems.
- Bauer
- 2007
(Show Context)
Citation Context ...xpressiveness of the policy specification language. Therefore different possible interleavings need not be considered and the monitoring can be more efficient. We discuss examples below. Bauer et al. =-=[29]-=- assume a setting where system actions are totally ordered, thereby abstracting away distributivity and concurrency. In their setting, system requirements are given in a propositional linear-time temp... |

14 | MaC: Distributed Monitoring and Checking,”
- Zhou, Sokolsky, et al.
- 2009
(Show Context)
Citation Context ...and others satisfy it. Note that in our approach, the formulas in the syntactically-defined fragments either satisfy all interleavings or violate all interleavings. Several monitoring approaches [28]–=-=[30]-=- have been proposed where actions logged with equal timestamps are considered to happen simultaneously. This corresponds to defining their semantics with respect to the collapsed log in our setting an... |

12 | Runtime enforcement of web service message contracts with data,” - Halle, Villemaire - 2012 |

12 | Decentralised ltl monitoring
- Bauer, Falcone
(Show Context)
Citation Context ...mula and others satisfy it. Note that in our approach, the formulas in the syntactically-defined fragments either satisfy all interleavings or violate all interleavings. Several monitoring approaches =-=[28]-=-–[30] have been proposed where actions logged with equal timestamps are considered to happen simultaneously. This corresponds to defining their semantics with respect to the collapsed log in our setti... |

9 | L.: Monitoring distributed real-time systems: a survey and future directions (NASA/CR-2010-216724
- Goodloe, Pike
- 2010
(Show Context)
Citation Context ...nd can be directly used to monitor a single system component or a log file. A broader overview on the state of the art of monitoring distributed systems can be found in the survey by Goodloe and Pike =-=[23]-=-. Sen et al. [24] present a distributed monitoring approach, where multiple monitors which communicate with each other are implemented locally. The authors use a propositional past linear-time distrib... |

8 | MONPOLY: Monitoring usage-control policies
- Basin, Harvan, et al.
- 2012
(Show Context)
Citation Context ...nbounded number of agents and data elements in IT systems. In [10] we presented a monitoring algorithm for an expressive fragment of MFOTL for a totally ordered sequence of timestamped actions and in =-=[14]-=- we described an implementation of this algorithm. We also showed that many policies can naturally be expressed in a fragment of this logic, which we can effectively monitor [15]. Summary. We identify... |

8 | Monitoring distributed controllers: When an efficient ltl algorithm on sequences is needed to modelcheck traces
- Massart, Meuter
- 2006
(Show Context)
Citation Context ...erleavings to determine whether φ is weakly or strongly violated at the time point i. We remark that related intractability results for LTL on so-called partially ordered traces are given in [18] and =-=[19]-=-. The setting in [18] is different from ours. In particular, it is unclear how to describe the set of interleavings of two timestamped traces using partially ordered traces as defined in [18]. Moreove... |

5 | Monitoring usage-control policies in distributed systems
- Basin, Harvan, et al.
- 2011
(Show Context)
Citation Context ..., 8092 Zurich, Switzerland. Email: firstname.lastname@inf.ethz.ch Manuscript received xxx; revised xxx; accepted xxx; published online xxx. This article is an extended version of the conference paper =-=[1]-=-. Recommended for acceptance by xxx. For information on obtaining reprints of this article, please send e-mail to: tse@computer.org, and reference xxx. expensive. Not requiring it leads to a partial o... |

5 |
Runtime verification of traces under recording uncertainty
- Wang, Ayoub, et al.
- 2011
(Show Context)
Citation Context ...but, in the worst case, exponentially many must still be examined. Furthermore, it is unclear how their algorithm for the propositional setting extends to a timed and first-order setting. Wang et al. =-=[27]-=- consider a problem similar to that of Genon et al. [19]. Their monitoring algorithm for past-only propositional LTL with a three-valued semantics explicitly explores the possible interleavings of a p... |

4 | From scripts to specification: The evaluation of a flight testing effort - Groce, Havelund, et al. - 2010 |

2 |
NRC data collection campaign and the privacy by design principles
- Aad, Niemi
- 2010
(Show Context)
Citation Context ...ions with equal timestamps. Furthermore, we provide means to approximate policies to fall within these fragments. We evaluate our approach in a real-world case study, Nokia’s Data-collection Campaign =-=[16]-=-. In this campaign, sensitive data is collected by mobile phones and propagated between databases. The underlying IT system is an instance of our system model. For the evaluation, we extended it to su... |

2 | On the complexity of partial order trace model checking
- Massart, Meuter, et al.
- 2008
(Show Context)
Citation Context ...f the interleavings to determine whether φ is weakly or strongly violated at the time point i. We remark that related intractability results for LTL on so-called partially ordered traces are given in =-=[18]-=- and [19]. The setting in [18] is different from ours. In particular, it is unclear how to describe the set of interleavings of two timestamped traces using partially ordered traces as defined in [18]... |