Auditing with incomplete logs
The protection of sensitive information is of utmost importance for organizations. The complexity and dynamism of modern businesses are forcing a re-think of traditional protection mechanisms. In particular, a priori policy en-forcement mechanisms are often complemented with auditing mechanisms that rely on an a posteriori analysis of logs recording users' activities to prove confor-mity to policies and detect policy violations when a valid explanation of confor-mity does not exist. However, existing auditing solutions require that the infor-mation necessary to assess policy compliance is available for the analysis. This assumption is not realistic. Indeed, a good deal of users' activities may not be under the control of the IT system and thus they cannot be logged. In this paper we tackle the problem of accessing policy compliance in presence of incomplete logs. In particular, we present an auditing framework to assist analysts in find-ing a valid explanation for the events recorded in the logs and to pinpoint policy violations if such an explanation does not exist, when logs are incomplete. We also introduce two strategies for the refinement of plausible explanations of con-formity to drive analysts along the auditing process. Our framework has been implemented on top of CIFF, an abductive proof procedure, and the efficiency and effectiveness of the refinement strategies evaluated.