Progress over the summer
Kadri Tõldsepp

During the summer months one of our project partners (KTH) investigated collaborative intrusion detection (CID) and distributed monitoring (DM) as possible application areas for SMC. Roberto from KTH gave us a short overview and explanation.

Assume a set of distributed agents that keep logs over locally chosen observable events. There agents interact via synchronized events that can represent the delivery or the corresponding reception of a message.

When things go wrong in a system, the usual question is the one of: “What happened?” Distributed monitoring is the problem of computing the possible (global) executions that are compatible with the (local) logs recorded by the agents.

For very large distributed systems, however, the more meaningful problem is not the one of computing a global solution, but the one of computing local views of the solution, in a distributed fashion. In other words the problem is, for each agent, to infer what happened locally, that is, by
communicating with the other agents to compute all possible local executions that are:
(i) locally consistent with the logs, and
(ii) globally synchronizable.

This problem is known as modular distributed monitoring and its solution can be used to debug large distributed systems or to coordinate intrusion detection activities.

We investigated the mathematical foundation on which to base distributed monitoring. In this setting, our main focus is to select the datastructures (e.g. trellis) and a minimal set of operations (e.g. products, projections and intersections) on them that allow us to implement DM preserving the agent's privacy. We also rephrased CID in terms of DM. This would allow us to apply the techniques developed for distributed monitoring to the situation when different agents want to collaborate to

identify possible threats and attacks.