Abstract
This paper illustrates a methodology for the synthesis of the behavior of an application program in terms of the set of system calls invoked by the program. The methodology is completely automated, with the exception of the description of the high level specification of the application program, which is demanded to the system analyst. The technology employed (VSP/CVS) for such synthesis minimizes the efforts required to code the specification of the application. The methodology is completely independent from the intrusion detection tool adopted, and appears suitable to derive the expected behavior of a secure WEB server that can effectively support the increasing request of security that affects the e-commerce. As a case study, the methodology is applied to the Post Office Protocol, the ipop3d daemon.
The authors were partially supported by the project Web-MiNDS and by the Italian MIUR under the FIRB program.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bernaschi, M., Gabrielli, E., Mancini, L.V.: Remus: a security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC) 5(1), 36–61 (2002)
Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer overflows: attacks and defences for the vulnerability of the decade. In: Proceedings IEEE DARPA Information Survivability Conference and Expo (January 2000)
Durante, A., Focardi, R., Gorrieri, R.: A compiler for analyzing cryptographic protocols using noninterference. ACM Transactions on Software Engineering and Methodology (TOSEM) 9(4), 488–528 (2000)
Durante, A., Focardi, R., Gorrieri, R.: CVS at work: A report on new failures upon some cryptographic protocols. In: Gorodetski, V.I., Skormin, V.A., Popyack, L.J. (eds.) MMM-ACNS 2001. LNCS, vol. 2052, pp. 287–299. Springer, Heidelberg (2001)
Focardi, R., Gorrieri, R.: The compositional security checker: A tool for the verification of information flow security properties. Software Engineering 23(9), 550–571 (1997)
Fraser, T., Badger, L., Feldman, M.: Hardening COTS software with generic software wrappers. In: IEEE Symposium on Security and Privacy, pp. 2–16 (1999)
Ghormley, D.P., Petrou, D., Rodrigues, S.H., Anderson, T.E.: SLIC: An extensibility system for commodity operating systems. In: Proceedings of the USENIX 1998 Annual Technical Conference, Berkeley, USA, June 15–19, pp. 39–52. USENIX Association (1998)
Ghosh, A.K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pp. 51–62 (April 1999)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1998)
IETF Internet Draft, http://www.ietf.org/rfc.html
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)
Jajodia, S., Lin, J.L., Wang, X.S.: Abstraction-based misuse detection: High-level specifications and adaptable strategies. In: PCSFW: Proceedings of The 11th Computer Security Foundations Workshop, pp. 190–201. IEEE Computer Society Press, Los Alamitos (1998)
Lippmann, R.P.: Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In: Proceedings DARPA Information Survivability Conference and Exposition (DISCEX). IEEE Computer Society Press, Los Alamitos (2000)
Milner, R.: Communication and concurrency. Prentice Hall, New York (1989)
Security Enhanced Linux, http://www.nsa.gov/selinux
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automation-based method for detecting anomalous program behavior. In: IEEE Symposium on Security and Privacy, Oackland CA, pp. 144–155 (May 2001)
Sekar, R., Uppuluri, P.: Synthesizing fast intrusion prevention/detection systems from high-level specifications. In: Proceedings of the 8th USENIX Security Symposium, Washington DC, USA, pp. 63–78 (August 1999)
Szyperski, C., Gruntz, D., Murer, S.: Component software: Beyond object-oriented programming. Addison-Wesley / ACM Press (2002)
Portnoy, L., Eskin, E., Stolfo, S.: Intrusion Detection with Unlabeled Data Using Clustering. In: Proceedings of the ACM CSS Workshop on Data Mining for Security Applications, November 8 (2001)
Wagner, D., Dean, D.: Intrusion detection via static analysis. In: IEEE Symposium on Security and Privacy, Oackland CA, pp. 156–169 (2001)
Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Ninth ACM Conference on Computer and Communications Security, Washington, DC, USA, November 18-22 (2002)
Walker, K.M., Sterne, D.F., Badger, M.L., Petkac, M.J., Shermann, D.L., Oostendorp, K.: Confining root programs with domain and type enforcement (DTE). In: Proceeding of the 6th USENIX UNIX Security Symposium, San Jose, California, USA (July 1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Durante, A., Di Pietro, R., Mancini, L.V. (2003). Formal Specification for Fast Automatic IDS Training. In: Abdallah, A.E., Ryan, P., Schneider, S. (eds) Formal Aspects of Security. FASec 2002. Lecture Notes in Computer Science, vol 2629. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-40981-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-40981-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20693-4
Online ISBN: 978-3-540-40981-6
eBook Packages: Springer Book Archive