An Interval Temporal Logic-Based Matching Framework for Finding Occurrences of Multi-event Attack Signatures

  • Elzbieta Nowicka
  • Marcin Zawada
Part of the Communications in Computer and Information Science book series (CCIS, volume 1)


Temporal logic has the potential to become a powerful mechanism for both modeling and detection of attack signatures. But, although recently some very expressive attack representations and on-line monitoring tools have been proposed, such tools still suffer from a lack of sufficiently precise detection mechanisms. In particular, they can report only the existence of an attack instance and cannot locate precisely its occurrence in a monitored event stream. Precise location is a key to enabling proper verification and identification of an attack. In this paper, we propose a formal framework for multi-event attack signature detection, based on Interval Temporal Logic. Our framework formalizes the problem of finding the localizations of a number types of attack signature occurrences: the first, all, k-insertion and the shortest one. In our approach, we use the existing run-time monitoring mechanism developed for the EAGLE specification, and extend it by special rules to enable such localization tasks. Our approach works on-line, and our initial results demonstrate the effectiveness and efficiency of the proposed approach.


Intrusion detection attack signatures interval temporal logic approximate pattern matching 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barringer, H., Goldberg, K., Havelund, K., Sen, K.: Rule-based Runtime Verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Couture, M., Ktari, B., Mejri, M., Massicotte, F.: A Declarative Approach to Stateful Intrusion Detection and Network Monitoring. In: Proceedings of the 2nd Annual Conference on Privacy, Security and Trust (PST) (2004)Google Scholar
  3. 3.
    Kumar, S., Spafford, E.: A Pattern Matching Model for Misuse Intrusion Detection. In: Proceedings of the 17th National Computer Security Conference (1994)Google Scholar
  4. 4.
    Kumar, S., Spafford, E.: An Application of Pattern Matching in Intrusion Detection. Purdue Technical Report CSD-TR-94-013 (1994)Google Scholar
  5. 5.
    Kumar, S.: Classification and Detection of Computer Intrusions. PhD Thesis, Purdue University (1995)Google Scholar
  6. 6.
    Kuri, J., Navarro, G., Me, L.: Fast Multipattern Search Algorithms for Intrusion Detection. Fundamenta Informaticae, Special Issue on Computing Patterns in Strings 56(1/2) (2003)Google Scholar
  7. 7.
    Lin, J.L., Wang, X.S., Jajodia, S.: Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies. In: Proceedings of the 11th Computer Security Foundation Workshop. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar
  8. 8.
    Me, L.: A Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis. In: Proceedings of the 1st International workshop on the Recent Advances in Intrusion Detection (RAID) (1998)Google Scholar
  9. 9.
    Moszkowski, B.: Executing Temporal Logic Programs. Cambridge University Press, Cambridge, England (1986)Google Scholar
  10. 10.
    Moszkowski, B.: A Hierarchical Completeness Proof for Propositional Interval Temporal Logic with Finite Time. Special Issue of a Journal of Applied Non-Classical Logics on Interval Temporal Logics and Duration Calculi 14(1–2) (2004)Google Scholar
  11. 11.
    Moszkowski, B.: A Hierarchical Analysis of Propositional Temporal Logic based on Intervals. Journal of Logic and Computation (2006)Google Scholar
  12. 12.
    Naldurg, P., Sen, K., Thati, P. A Temporal Logic Based Framework for Intrusion Detection. In: de Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Nowicka, E., Zawada, M.: Modeling Temporal Properties of Multievent Attack Signatures in Interval Temporal Logic. In: Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006) Tuebingen, Germany (2006), available at
  14. 14.
    Olivain, J., Goubault-Larrecq, J.: The Orchids Intrusion Detection Tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, Springer, Heidelberg (2005)Google Scholar
  15. 15.
    Ouyang, M.-G., Pan, F., Zhangy, Y.T.: ISITL — Intrusion Signatures in Augmented Interval Temporal Logic. In: Proceedings of the 2nd International Conference on Machine Learning and Cybernetics (2003)Google Scholar
  16. 16.
    Roger, M., Goubault-Larrecq, J.: Log Auditing Through Model Checking. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  17. 17.
    Totel, E., Vivinis, B., Me, L.: A Language Driven Intrusion Detection System for Events and Alerts Correlation. In: Proceedings of the 19th IFIP International Information Security Conference, Kluwer Academic Publishers, Dordrecht (2004)Google Scholar
  18. 18.
    Uppuluri, P., Sekar, R.: Experiences with Specification Based Intrusion Detection System. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Elzbieta Nowicka
    • 1
  • Marcin Zawada
    • 2
  1. 1.Chair of Computer Systems and NetworksWroclaw University of TechnologyWroclawPoland
  2. 2.Institute of Mathematics and Computer ScienceWroclaw University of TechnologyWroclawPoland

Personalised recommendations