Auditing with Incomplete Logs

The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy enforcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users’ activities to prove conformity to policies and detect policy violations when a valid explanation of conformity does not exist. However, existing auditing solutions require that the information necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users’ activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in finding a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of conformity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated.