Skip to main content
SpringerLink
Log in

An Interval Temporal Logic-Based Matching Framework for Finding Occurrences of Multi-event Attack Signatures

  • Conference paper
Computer Network Security (MMM-ACNS 2007)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1))

Abstract

Temporal logic has the potential to become a powerful mechanism for both modeling and detection of attack signatures. But, although recently some very expressive attack representations and on-line monitoring tools have been proposed, such tools still suffer from a lack of sufficiently precise detection mechanisms. In particular, they can report only the existence of an attack instance and cannot locate precisely its occurrence in a monitored event stream. Precise location is a key to enabling proper verification and identification of an attack. In this paper, we propose a formal framework for multi-event attack signature detection, based on Interval Temporal Logic. Our framework formalizes the problem of finding the localizations of a number types of attack signature occurrences: the first, all, k-insertion and the shortest one. In our approach, we use the existing run-time monitoring mechanism developed for the EAGLE specification, and extend it by special rules to enable such localization tasks. Our approach works on-line, and our initial results demonstrate the effectiveness and efficiency of the proposed approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Barringer, H., Goldberg, K., Havelund, K., Sen, K.: Rule-based Runtime Verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, Springer, Heidelberg (2004)

    Google Scholar 

  2. Couture, M., Ktari, B., Mejri, M., Massicotte, F.: A Declarative Approach to Stateful Intrusion Detection and Network Monitoring. In: Proceedings of the 2nd Annual Conference on Privacy, Security and Trust (PST) (2004)

    Google Scholar 

  3. Kumar, S., Spafford, E.: A Pattern Matching Model for Misuse Intrusion Detection. In: Proceedings of the 17th National Computer Security Conference (1994)

    Google Scholar 

  4. Kumar, S., Spafford, E.: An Application of Pattern Matching in Intrusion Detection. Purdue Technical Report CSD-TR-94-013 (1994)

    Google Scholar 

  5. Kumar, S.: Classification and Detection of Computer Intrusions. PhD Thesis, Purdue University (1995)

    Google Scholar 

  6. Kuri, J., Navarro, G., Me, L.: Fast Multipattern Search Algorithms for Intrusion Detection. Fundamenta Informaticae, Special Issue on Computing Patterns in Strings 56(1/2) (2003)

    Google Scholar 

  7. Lin, J.L., Wang, X.S., Jajodia, S.: Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies. In: Proceedings of the 11th Computer Security Foundation Workshop. IEEE Computer Society Press, Los Alamitos (1998)

    Google Scholar 

  8. Me, L.: A Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis. In: Proceedings of the 1st International workshop on the Recent Advances in Intrusion Detection (RAID) (1998)

    Google Scholar 

  9. Moszkowski, B.: Executing Temporal Logic Programs. Cambridge University Press, Cambridge, England (1986)

    Google Scholar 

  10. Moszkowski, B.: A Hierarchical Completeness Proof for Propositional Interval Temporal Logic with Finite Time. Special Issue of a Journal of Applied Non-Classical Logics on Interval Temporal Logics and Duration Calculi 14(1–2) (2004)

    Google Scholar 

  11. Moszkowski, B.: A Hierarchical Analysis of Propositional Temporal Logic based on Intervals. Journal of Logic and Computation (2006)

    Google Scholar 

  12. Naldurg, P., Sen, K., Thati, P. A Temporal Logic Based Framework for Intrusion Detection. In: de Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, Springer, Heidelberg (2004)

    Google Scholar 

  13. Nowicka, E., Zawada, M.: Modeling Temporal Properties of Multievent Attack Signatures in Interval Temporal Logic. In: Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006) Tuebingen, Germany (2006), available at http://www.diadem-firewall.org/workshop06/papers/monam06-paper-37.pdf

  14. Olivain, J., Goubault-Larrecq, J.: The Orchids Intrusion Detection Tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, Springer, Heidelberg (2005)

    Google Scholar 

  15. Ouyang, M.-G., Pan, F., Zhangy, Y.T.: ISITL — Intrusion Signatures in Augmented Interval Temporal Logic. In: Proceedings of the 2nd International Conference on Machine Learning and Cybernetics (2003)

    Google Scholar 

  16. Roger, M., Goubault-Larrecq, J.: Log Auditing Through Model Checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  17. Totel, E., Vivinis, B., Me, L.: A Language Driven Intrusion Detection System for Events and Alerts Correlation. In: Proceedings of the 19th IFIP International Information Security Conference, Kluwer Academic Publishers, Dordrecht (2004)

    Google Scholar 

  18. Uppuluri, P., Sekar, R.: Experiences with Specification Based Intrusion Detection System. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Chair of Computer Systems and Networks, Wroclaw University of Technology, Wybrzeze Wyspianskiego 27, 50-370, Wroclaw, Poland

    Elzbieta Nowicka

  2. Institute of Mathematics and Computer Science, Wroclaw University of Technology, Wybrzeze Wyspianskiego 27, 50-370, Wroclaw, Poland

    Marcin Zawada

Authors
  1. Elzbieta Nowicka
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcin Zawada
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, St. Petersburg, 199178, Russia

    Vladimir Gorodetsky  & Igor Kotenko  & 

  2. US Air Force, Binghamton University (SUNY), Binghamton, NY, 13902, USA

    Victor A. Skormin

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nowicka, E., Zawada, M. (2007). An Interval Temporal Logic-Based Matching Framework for Finding Occurrences of Multi-event Attack Signatures. In: Gorodetsky, V., Kotenko, I., Skormin, V.A. (eds) Computer Network Security. MMM-ACNS 2007. Communications in Computer and Information Science, vol 1. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73986-9_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73986-9_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73985-2

  • Online ISBN: 978-3-540-73986-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation