Sample Log Analysis in E&A - A Legal Framework

(1)

A Formal Framework for Specifying and Analyzing Logs

as Electronic Evidence

Eduardo Mazza1, Marie-Laure Potet1, Daniel Le M´etayer2

LISE Project

Funded by the Agence Nationale de la Recherce (ANR-07-SESU-00)

(1) Verimag, Grenoble, France

(2)

Motivation

Challenge: to precise legal liability for software Log as digital evidence

More and more necessary

PROBLEM

Actual solutions that define liability are not focused in logs as digital evidence

Works in log analysis show little concern in liability

Proposal

An integrated frameworkfor precisely defining liability and log content as electronic evidence

(3)

Outline

Introduction

Logs & Claims Log Functions Log Analyzer Conclusion

(4)

Introduction

LISE Project

Contract based environment

Legal aspects studied in previous works [ICSE 2010]

Context:

FAULTS⇒CLAIMS⇒LIABILITY

Two or moreagentssigning a legal contractto precise liability for potentialclaims

Contract – agreement between the agents

Requirements

Description of application

Claims taken into account covered by the contract Evidence agreement

Log content and architecture Log Analyzer

(5)

LISE Approach

Two phases

Contractual – requirements and evidence agreement Analysis - when claims appear

Contractual Phase Analysis Phase

Generic model

Use of the B-method – focus on data and behaviour

(6)

Assumptions & Key Concepts

Distributed system⇒ distributed logs

Information spread along multiple log files

Communication between agents by message exchange

Well adapted for B2B applications

Logs are grouped by agents

A single log file may contain the information of many agents

Incremental Analysis would be an advantage

Claims may be analyzed in a partial setting of the distributed system Not always possible to immediately obtain all logs

(7)

Outline

Introduction

Logs & Claims

Log Functions Log Analyzer Conclusion

(8)

Logs

How to represent logs?

Generic model supporting distributed logs

Hypothesis: preserved causality, no loss, no duplication

System specification

AGENT ACTION

Interface:ACTION →AGENT

Logs and log distributions

Event: (Send|Rec,AGENT,AGENT,ACTION)

Log file: F(AGENT)×iseq(EVENTS) Distribution: F(F(AGENT))

(9)

Example of Logs

System Specification

Possible log distributions

{Client},{Agency},{Bank},{Hotel} {Client,Agency},{Bank},{Hotel}

Possible logs:

({Client,Agency},[RequestSend,RequestRec, . . .]) ({Hotel},[BookRec,CancelRec, . . .])

(10)

Claims

How to represent the claims?

Logs that are concerned by the claim (agents)

A precise characterization when the claim is accepted (log property) A claim consists of:

Aplaintiff (the complaining agent) Adefendant

A logproperty

→ “If thepropertyholds, then the agentdefendant is responsible”.

(11)

Properties

Property: F(AGENT)×(LOG FILE 7→BOOL)

Distributed setting ⇒ property for partial distribution

1 Agents concerned with this property

Information needed to verify a property

2 Partial function (w.r.t. agents) that maps a log file to TRUE or

FALSE

(12)

Example of Claims

(claim NoRoom)Client requests a reservation and is charged but there is no reservation:

1 _NoRoom_∈_CLAIM_∧_NoRoom_{= (}_Client,_Agency_,_propNoRoom₎_∧ 2 _agents₍_propNoRoom_{) =}_{Client,_{Agency} ∧}

3 val(propNoRoom) =λlog.(agents(log) ={Client,Agency} | RequestSend ∈events(log)∧

DebitSend∈events(log)∧ BookSend 6∈events(log)∧

pos(RequestSend,log)<pos(DebitSend,log))

Client Agency Bank Hotel

Request

Debit

(13)

Example of Claims

1 _NoRoom_∈_CLAIM_∧_NoRoom_{= (}_Client,_Agency_,_propNoRoom₎_∧

2 _agents₍_propNoRoom_{) =}_{Client,_{Agency} ∧}

Request

Debit

(14)

Example of Claims

Request

Debit

(15)

Example of Claims

Request

Debit

(16)

Example of Claims

Request

(17)

Outline

Introduction Logs & Claims

Log Functions

Log Analyzer Conclusion

(18)

Log Functions

Motivation:

Manipulate distributed logs w.r.t. concerned agents Log functions:

extract - obtain events in a log concerning a given group of agents

merge - provide the set of logs that respect the causal order of events

Several possible scenarios

Property:

(19)

Example of

merge

Client Agency

Request

Cancel

logClient logAgency

merge[logClient,logAgency] ={log1,log2}

log1= ({Client,Agency},[RequestSend,RequestRec,CancelSend])

(20)

Outline

Introduction Logs & Claims Log Functions

Log Analyzer

(21)

Analyzing a claim

How to establish if a claims should be accepted or rejected?

1 For a given claim (Plain,Def,Prop) select certain logs that have the

information required by Prop (agents(Prop)⊆agents(logs))

2 Merge the selected log files

3 Extract the information required byProp (agents(Prop))

4 _{Compute the possible set of scenarios where} _Prop _holds.

5 _{Interpretation of the results by the judge}

Two results:

Set of all scenarios

Set of scenarios where property hold

(I) Conclude the investigation⇒accept or reject a claim (II) More data needed

(22)

Analyzing a claim

Two results:

(23)

Analyzing a claim

Two results:

(24)

Analyzing a claim

Two results:

(25)

Analyzing a claim

Two results:

(26)

Analyzing a claim

Two results:

(I) Conclude the investigation ⇒accept or reject a claim (II) More data needed

(27)

Log Analyzer

Log Analyzer: tool that computes the two results to be interpreted

INPUT:

logs: set of logs

prop: property

OUTPUT:

scen: all possible scenarios

ok: scenarios where the property holds

scen,ok ←Analysis(logs,prop)

PRE agents(prop)⊆agents(logs) THEN

scen:=extractagents(prop)[merge[logs]]; ok :=scen∩val(prop)−1[{TRUE}] END

(28)

Interpreting the results

Depending of the values for scen,ok:

Inconclusive results – results are not enough to provide the intuition for accepting or rejecting a claim

A fine study may be necessary. (incremental analysis)

Some definitive conclusive results situations: ifscen =ok then claim isaccepted

(29)

Example of analysis - claim

NoRoom

(paper Example 8)

Request

Debit Justify

Agency wants to verify if the claim is valid without using Bank’s log

3 scenarios:

RequestSend,RequestRec,DebitSend,JustifyRec

RequestSend,RequestRec,JustifyRec,DebitSend

RequestSend,JustifyRec,RequestRec,DebitSend

(30)

Example of analysis - claim

NoRoom

(paper Example 8)

Request

Debit Justify

Agency wants to verify if the claim is valid without using Bank’s log 3 scenarios:

RequestSend,RequestRec,DebitSend,JustifyRec

RequestSend,RequestRec,JustifyRec,DebitSend

(31)

Incremental analysis

Inconclusive results may demand more logs to be analyzed

Previous results may help in the computation of the new analysis

scen0,ok0 ←Analysis(logs∪logs0,prop)

Incremental calculus

1 Computescen,ok ←Analysis(logs,prop) 2 _iscen,_iok ←_IncrAnalysis₍_logs0_,_prop_,_scen_,_ok₎

iscen:=extract[merge[logs0∪scen]] iok :=extract[merge[logs0∪ok]]

ADVANTAGE: No need to verify the property again

ok0⊆iok ⊆ok scen0⊆iscen⊆scen

(32)

Incremental analysis

(33)

Incremental analysis

1 Computescen,ok ←Analysis(logs,prop)

2 _iscen,_iok ←_IncrAnalysis₍_logs0_,_prop_,_scen_,_ok₎ iscen:=extract[merge[logs0∪scen]]

iok :=extract[merge[logs0∪ok]]

(34)

Incremental analysis

(35)

Example of incremental Analysis (paper Example 9)

(claim LateCancel) Client complain that was charged for a reservation that had been canceled

propLateCancel:

DebitSend ∈events(log)∧ CancelSend∈events(log)∧ pos(CancelSend,log)<pos(DebitSend,log) agents(propLateCancel) ={Client,Agency}

Request Book Confirm Debit Justify Cancel CancelDebit

(36)

First analysis

(37)

Second analysis (incremental)

scen with 3 scenarios

(38)

Outline

Introduction Logs & Claims Log Functions Log Analyzer

(39)

Conclusion

Contributions:

General framework to precisely decribe claims in terms of logs Specification of a Log Analyzer tool

Study of incremental aspects over the acceptability of claims Future works:

Parametrized claims and properties Integration with previous works

Analysis of log architecture [SEFM 2010]

Help adding logs for incremental analysis Formal definition of liability

When should a claim be accepted Claim with multiples responsible agents