We propose a generic synthetic event generator from kernel trace events. The proposed method makes use of patterns of system states and environment-independent semantic events rather than platform-specific raw events. This method can be applied to different kernel and user level trace formats. We use a state model to store intermediate states and events. This stateful method supports partial trace abstraction and enables users to seek and navigate through the trace events and to abstract out the desired part. Since it uses the current and previous values of the system states and has more knowledge of the underlying system execution, it can generate a wide range of synthetic events. One of the obvious applications of this method is the identification of system faults and problems that will appear later in this paper. We will discuss the architecture of the method, its implementation, and the performance results. 1. Introduction Tracing complete systems provides information on several system levels. The use of execution traces as a method to analyze system behavior is increasing among system administrators and analysts. By examining the trace events, experts can detect the system problems and misbehaviors caused by program errors, application misconfigurations, and also attackers. Linux trace toolkit next generation (LTTng), a low-impact and precise Linux tracing tool, provides a detailed execution trace of system calls, operating system operations, and user space applications [1]. The resulting trace files can be used to analyze the traced system at kernel and user space levels. However, these trace files can grow to a large number of events very quickly and make analysis difficult. Moreover, this data contains too many low-level system calls that often complicate the reading and comprehension. Thus, the need arises to somehow reduce the size of huge trace files. In addition, it is better to have relatively abstract and high-level events that are more readable than raw events and at the same time reflect the similar system behavior. Trace abstraction technique reduces the size of original trace by grouping the events and generating high-level compound synthetic events. Since synthetic events reveal more high-level information of the underling system execution, they can be used to easily analyze and discuss the system at higher levels. To generate such synthetic events, it is required to develop efficient tools and methods to read trace events, detect similar sections and behaviors, and convert them to meaningful coarse-grained events. Most of the trace
References
[1]
M. Desnoyers and M. R. Dagenais, “The LTTng tracer: a low impact performance and behavior monitor for GNU/Linux,” in Proceedings of the Ottawa Linux Symposium, 2006.
[2]
W. Fadel, Techniques for the abstraction of system call traces [M.Sc.A. dissertation], Concordia University, 2010.
[3]
H. Waly and B. Ktari, “A complete framework for kernel trace analysis,” in Proceedings of the Canadian Conference on Electrical and Computer Engineering (CCECE '11), pp. 001426–001430, Niagara Falls, Canada, May 2011.
[4]
J. P. Black, M. H. Coffin, D. J. Taylor, T. Kunz, and T. Basten, “Linking specification, abstraction, and debugging,” CCNG Technical Report E-232, Computer Communications and Networks Group, University of Waterloo, 1993.
[5]
M. Auguston, A. Gates, and M. Lujan, “Defining a program behavior model for dynamic analyzers,” in Proceedings of the 9th International Conference on Software Engineering and Knowledge Engineering (SEKE '97), pp. 257–262, Madrid, Spain, June 1997.
[6]
G. Matni and M. Dagenais, “Automata-based approach for kernel trace analysis,” in Proceedings of the Canadian Conference on Electrical and Computer Engineering (CCECE '09), pp. 970–973, May 2009.
[7]
L. Fu, Exploration and visualization of large execution traces [M.Sc.A. dissertation], University of Ottawa, 2005.
[8]
A. Hamou-Lhadj and T. Lethbridge, “Survey of trace exploration tools and techniques,” in Proceedings of the 14th IBM Conference of the Centre for Advanced Studies on Collaborative Research, pp. 42–55, IBM Press, 2004.
[9]
W. D. Pauw, R. Helm, D. Kimelman, and J. M. Vlissides, “Visualizing the behavior of object-oriented systems,” in Proceedings of the 8th Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA '93), pp. 326–337, ACM, 1993.
[10]
D. B. Lange and Y. Nakamura, “Object-oriented program tracing and visualization,” Computer, vol. 30, no. 5, pp. 63–70, 1997.
[11]
D. F. Jerding, J. T. Stasko, and T. Ball, “Visualizing interactions in program executions,” in Proceedings of the 19th IEEE International Conference on Software Engineering, pp. 360–370, May 1997.
[12]
A. Chan, R. Holmes, G. C. Murphy, and A. T. T. Ying, “Scaling an Object-oriented system execution visualizer through sampling,” in Proceedings of the IEEE International Workshop on Program Comprehension (ICPC '03), 2003.
[13]
S. P. Reiss, “Visualizing Java in action,” in Proceedings of the ACM Symposium on Software Visualization (SoftVis '03), pp. 57–65, ACM, June 2003.
[14]
T. Syst?, K. Koskimies, and H. Müller, “Shimba—an environment for reverse engineering Java software systems,” Software—Practice and Experience, vol. 31, no. 4, pp. 371–394, 2001.
[15]
S. T. Eckmann, G. Vigna, and R. A. Kemmerer, “STATL: an attack language for state-based intrusion detection,” Journal of Computer Security, vol. 10, no. 1-2, pp. 71–103, 2002.
[16]
P. Uppuluri, Intrusion detection/prevention using behavior specifications [Ph.D. dissertation], State University of New York at Stony Brook, New York, NY, USA, 2003.
[17]
S. Kumar, Classification and detection of computer intrusions [Ph.D. thesis], CERIAS lab, Purdue University, 1995.
[18]
J. L. Lin, X. S. Wang, and S. Jajodia, “Abstraction-based misuse detection: high-level specifications and adaptable strategies,” in Proceedings of the 11th IEEE Computer Security Foundations Workshop (CSFW '98), pp. 190–201, Rockport, Mass, USA, June 1998.
[19]
P. Beaucamps, I. Gnaedig, and J. Y. Marion, “Behavior abstraction in malware analysis,” in Proceedings of the Runtime Verification Conference (RV '10), pp. 168–182, 2010.
[20]
A. Montplaisi and M. R. Dagenais, Stockage sur disque pour accs rapide dattributs avec intervalles de temps [M.Sc.A. dissertation], Dorsal lab, Ecole Polytechnique de Montreal, Montreal, Canada, 2011.
[21]
M. M. Sebring, E. Shellhouse, M. Hanna, and R. A. Whitehurst, “Expert systems in intrusion detection: a case study,” in Proceedings of the National Computer Security Conference, pp. 74–81, 1988.
[22]
2011, http://www.nmap.org/.
[23]
RFC 793: Transmission Control Protocol, 2011, http://www.faqs.org/rfcs/rfc793.html.
