A Distributed Intrusion Detection Approach for Secure Software Architecture

  • Paola Inverardi
  • Leonardo Mostarda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3527)


This paper illustrates an approach to add security policies to a component-based system. We consider black-box-components-based applications, where each component can run concurrently in a different domain. The problem we want to face is to detect at run time that a component might start interacting with the other components in an anomalous way trying to subvert the application. This problem cannot be identified statically because we must take into account the fact that a component can be modified for malicious purposes at run time once deployed. We propose a specification-based approach to detect intrusions at architectural level. The approach is decentralized, that is given a global policy for the whole system, i.e. a set of admissible behaviors, we automatically generate a monitoring filter for each component that looks at local information of interest. Filters then suitably communicate in order to carry on cooperatively the validation of the global policy. With respect to centralized monitors, this approach increases performance, security and reliability and allows the supervision of complex applications where no centralized point of information flow exists or can be introduced.


False Alarm Rate Intrusion Detection Security Policy Intrusion Detection System Enforcement Mechanism 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Eckmann, S.T., Vigna, G., Kemmer, R.A.: Statl: An attack language for state-based intrusion detection. Journal of Computer Security 10, 71–104 (2002)Google Scholar
  2. 2.
    Javitz, H.S., Valdes, A.: The nides statistical component description and justification. Technical report - Columbia University (1994)Google Scholar
  3. 3.
    Vaccaro, H., Liepins, G.: Detection of anomalous computer session activity. In: Proc. of the 1989 Synopsium on Security and privacy, pp. 280–289 (1989)Google Scholar
  4. 4.
    Stillerman, M., Marceau, C., Stillman, M.: Intrusion detection for distributed applications. Communications of the ACM (1999)Google Scholar
  5. 5.
    Ko, C., Ruschitza, M., Levitt, K.: Execution monitoring of security-critical programs in distribute system: A specification-based approach. IEEE, Los Alamitos (1997)Google Scholar
  6. 6.
    Aucsmith, D.: Tamper resistant software: An implementation. LNCS. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Vigna, G., Kemmer, R.A.: Netstat: A network-based intrusion detection system. In: Proc. of the 14th Annual Computer Security Applications Conf. (1998)Google Scholar
  8. 8.
    Porras, P.A., Neumann, P.G.: Event monitoring enabling responses to anomolous live disturbances. In: Proc. of 20th NIS Security Conference (1997)Google Scholar
  9. 9.
    Snapp, S.R., Dias, J.B.G.V., Goan, T., Heberlein, L.T., Ho, C., Levitt, K.N., Mukherjee, B., Smaha, S.E., Grance, T., Teal, D.M., Mansur, D.: Dids (distributed intrusion detection system) - motivation architecture and early prototype. In: Proc. 14th National Security Conference, vol. 1, pp. 361–370 (1996)Google Scholar
  10. 10.
    White, G.B., Fisch, E.A., Pooch, U.W.: Cooperating security managers: A peer-based intrusion detectionn system. IEEE Network, 20–30 (1996)Google Scholar
  11. 11.
    Sen, K., Vardhan, A., Agha, G., Rosu, G.: Effecient decentralized monitoring of safety in distributed system. In: ICSE (2004)Google Scholar
  12. 12.
    Dulay, N., Lupu, E., Sloman, M., Damianou, N.: A policy deployment model for the ponder language. In: IM 2001, Seattle. IEEE Press, Los Alamitos (2001)Google Scholar
  13. 13.
    Schneider, F.B.: Enforceable security policies. ACM Trans. on Information and System Security 3, 30–50 (2000)CrossRefGoogle Scholar
  14. 14.
    Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Communications of the ACM 21, 558–565 (1978)zbMATHCrossRefGoogle Scholar
  15. 15.
    Mostarda, L., Inverardi, P.: Distributed detection system for secure software architectures (desert) - a peer-to-peer tool for intrusion detection (2004),
  16. 16.
    Mostarda, L., Inverardi, P.: A distributed intrusion detection approach for secure software architecture - extended version. Technical report (2005),
  17. 17.
    Inverardi, P., Mostarda, L., Tivoli, M., Autili, M.: Automatic synthesis of distributed adaptors for component-based system. Submitted for publication (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Paola Inverardi
    • 1
  • Leonardo Mostarda
    • 1
  1. 1.Dip. di InformaticaUniversità di L’Aquila, CoppitoL’AquilaItaly

Personalised recommendations