A Temporal Logic Based Framework for Intrusion Detection

  • Prasad Naldurg
  • Koushik Sen
  • Prasanna Thati
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3235)


We propose a framework for intrusion detection that is based on runtime monitoring of temporal logic specifications. We specify intrusion patterns as formulas in an expressively rich and efficiently monitorable logic called Eagle. Eagle supports data-values and parameterized recursive equations, and allows us to succinctly express security attacks with complex temporal event patterns, as well as attacks whose signatures are inherently statistical in nature. We use an online monitoring algorithm that matches specifications of the absence of an attack, with system execution traces, and raises an alarm whenever the specification is violated. We present our implementation of this approach in a prototype tool, called Monid and report our results obtained by applying it to detect a variety of security attacks in log-files provided by DARPA.


Intrusion detection security temporal logic runtime monitoring 


  1. 1.
    Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system. Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International, Menlo Park, CA (May 1995)Google Scholar
  2. 2.
    Axelsson, S.: Intrusion detection systems: A taxonomy and survey. Technical Report 99–15, Dept. of Computer Engineering, Chalmers University of Technology, Sweden (2000)Google Scholar
  3. 3.
    Barringer, H., Goldberg, A., Havelund, K., Sen, K.: Program monitoring with ltl in eagle. In: Workshop on Parallel and Distributed Systems: Testing and Debugging (PADTAD 2004) (Satellite workshop of IPDPS 2004), Santa Fe, New Mexico, USA (April 2004) (to appear)Google Scholar
  4. 4.
    Barringer, H., Goldberg, A., Havelund, K., Sen, K.: Rule-based runtime verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 44–57. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)Google Scholar
  6. 6.
    Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: IEEE Computer Society Symposium on Research on Security and Privacy, May 1992, pp. 240–250 (1992)Google Scholar
  7. 7.
    Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion detection systems. Computer Networks 31(8), 805–822 (1999)CrossRefGoogle Scholar
  8. 8.
    Havelund, K., Roşu, G.: Monitoring Java Programs with Java PathExplorer. In: Proceedings of Runtime Verification (RV 2001). ENTCS, vol. 55, Elsevier, Amsterdam (2001)Google Scholar
  9. 9.
    Ignizio, J.P.: Introduction to Expert Systems-the Development and Implementation of Rule-Based Expert System. McGraw-Hill Science, New York (1991)Google Scholar
  10. 10.
    Ilgun, K., Kemmerer, R., Porras, P.: State transition analysis: A rulebased intrusion detection approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)CrossRefGoogle Scholar
  11. 11.
    Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In: IEEE Symposium on Security and Privacy, May 1997, pp. 175–187 (1997)Google Scholar
  12. 12.
    Kumar, S., Spafford, E.: A pattern matching model for misuse intrusion detection. In: National Computer Security Conference, pp. 11–21 (1994)Google Scholar
  13. 13.
    MIT Lincoln Laboratory. DARPA intrusion detection evaluation,
  14. 14.
    Lee, W.: A datamining framework for building intrusion detection models. In: IEEE Symposium on Security and Privacy, May 1999, pp. 120–132 (1999)Google Scholar
  15. 15.
    Porras, P., Neumann, P.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference (1997)Google Scholar
  16. 16.
    Roger, M., Goubault-Larrecq, J.: Log auditing through model-checking. In: 14th IEEE Computer Security Foundations Workshop (CSFW 2001), IEEE, Los Alamitos (2001)Google Scholar
  17. 17.
    Sebring, M., Shellhouse, E., Hanna, M., Whitehurst, R.: Expert systems in intrusion detection: A case study. In: National Computer Security Conference, pp. 74–81 (1998)Google Scholar
  18. 18.
    Sen, K., Roşu, G., Agha, G.: Runtime Safety Analysis of Multithreaded Programs. In: 9th European Software Engineering Conference and 11th ACM SIGSOFT International Symposium on the Foundations of Software Engineering (ESEC/FSE’03), Helsinki, Finland, September 2003, pp. 337–346. ACM, New York (2003)Google Scholar
  19. 19.
    Sen, K., Roşu, G., Agha, G.: Online efficient predictive safety analysis of multithreaded programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 123–138. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Sen, K., Vardhan, A., Agha, G., Roşu, G.: Efficient decentralized monitoring of safety in distributed systems. In: Proceedings of 26th International Conference on Software Engineering (ICSE 2004), Edinburgh, UK, May 2004, pp. 418–427. IEEE, Los Alamitos (2004)CrossRefGoogle Scholar
  21. 21.
    Teng, H., Chen, K., Lu, S.: Security audit trail analysis using inductively generated predictive rules. In: Conference on Artificial Intelligence Applications, March 1990, pp. 24–29. IEEE Computer Society Press, Los Alamitos (1990)CrossRefGoogle Scholar
  22. 22.
    Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy (2001)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2004

Authors and Affiliations

  • Prasad Naldurg
    • 1
  • Koushik Sen
    • 1
  • Prasanna Thati
    • 1
  1. 1.Department of Computer ScienceUniversity of Illinois at Urbana-ChampaignUrbanaUSA

Personalised recommendations