Abstract
Temporal logic has the potential to become a powerful mechanism for both modeling and detection of attack signatures. But, although recently some very expressive attack representations and on-line monitoring tools have been proposed, such tools still suffer from a lack of sufficiently precise detection mechanisms. In particular, they can report only the existence of an attack instance and cannot locate precisely its occurrence in a monitored event stream. Precise location is a key to enabling proper verification and identification of an attack. In this paper, we propose a formal framework for multi-event attack signature detection, based on Interval Temporal Logic. Our framework formalizes the problem of finding the localizations of a number types of attack signature occurrences: the first, all, k-insertion and the shortest one. In our approach, we use the existing run-time monitoring mechanism developed for the EAGLE specification, and extend it by special rules to enable such localization tasks. Our approach works on-line, and our initial results demonstrate the effectiveness and efficiency of the proposed approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Barringer, H., Goldberg, K., Havelund, K., Sen, K.: Rule-based Runtime Verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, Springer, Heidelberg (2004)
Couture, M., Ktari, B., Mejri, M., Massicotte, F.: A Declarative Approach to Stateful Intrusion Detection and Network Monitoring. In: Proceedings of the 2nd Annual Conference on Privacy, Security and Trust (PST) (2004)
Kumar, S., Spafford, E.: A Pattern Matching Model for Misuse Intrusion Detection. In: Proceedings of the 17th National Computer Security Conference (1994)
Kumar, S., Spafford, E.: An Application of Pattern Matching in Intrusion Detection. Purdue Technical Report CSD-TR-94-013 (1994)
Kumar, S.: Classification and Detection of Computer Intrusions. PhD Thesis, Purdue University (1995)
Kuri, J., Navarro, G., Me, L.: Fast Multipattern Search Algorithms for Intrusion Detection. Fundamenta Informaticae, Special Issue on Computing Patterns in Strings 56(1/2) (2003)
Lin, J.L., Wang, X.S., Jajodia, S.: Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies. In: Proceedings of the 11th Computer Security Foundation Workshop. IEEE Computer Society Press, Los Alamitos (1998)
Me, L.: A Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis. In: Proceedings of the 1st International workshop on the Recent Advances in Intrusion Detection (RAID) (1998)
Moszkowski, B.: Executing Temporal Logic Programs. Cambridge University Press, Cambridge, England (1986)
Moszkowski, B.: A Hierarchical Completeness Proof for Propositional Interval Temporal Logic with Finite Time. Special Issue of a Journal of Applied Non-Classical Logics on Interval Temporal Logics and Duration Calculi 14(1–2) (2004)
Moszkowski, B.: A Hierarchical Analysis of Propositional Temporal Logic based on Intervals. Journal of Logic and Computation (2006)
Naldurg, P., Sen, K., Thati, P. A Temporal Logic Based Framework for Intrusion Detection. In: de Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, Springer, Heidelberg (2004)
Nowicka, E., Zawada, M.: Modeling Temporal Properties of Multievent Attack Signatures in Interval Temporal Logic. In: Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006) Tuebingen, Germany (2006), available at http://www.diadem-firewall.org/workshop06/papers/monam06-paper-37.pdf
Olivain, J., Goubault-Larrecq, J.: The Orchids Intrusion Detection Tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, Springer, Heidelberg (2005)
Ouyang, M.-G., Pan, F., Zhangy, Y.T.: ISITL — Intrusion Signatures in Augmented Interval Temporal Logic. In: Proceedings of the 2nd International Conference on Machine Learning and Cybernetics (2003)
Roger, M., Goubault-Larrecq, J.: Log Auditing Through Model Checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, IEEE Computer Society Press, Los Alamitos (2001)
Totel, E., Vivinis, B., Me, L.: A Language Driven Intrusion Detection System for Events and Alerts Correlation. In: Proceedings of the 19th IFIP International Information Security Conference, Kluwer Academic Publishers, Dordrecht (2004)
Uppuluri, P., Sekar, R.: Experiences with Specification Based Intrusion Detection System. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nowicka, E., Zawada, M. (2007). An Interval Temporal Logic-Based Matching Framework for Finding Occurrences of Multi-event Attack Signatures. In: Gorodetsky, V., Kotenko, I., Skormin, V.A. (eds) Computer Network Security. MMM-ACNS 2007. Communications in Computer and Information Science, vol 1. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73986-9_24
Download citation
DOI: https://doi.org/10.1007/978-3-540-73986-9_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73985-2
Online ISBN: 978-3-540-73986-9
eBook Packages: Computer ScienceComputer Science (R0)