Identifying Modeling Errors in Signatures by Model Checking

Schmerl, Sebastian; Vogel, Michael; König, Hartmut

doi:10.1007/978-3-642-02652-2_18

Sebastian Schmerl¹⁷,
Michael Vogel¹⁷ &
Hartmut König¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 5578))

Included in the following conference series:

International SPIN Workshop on Model Checking of Software

388 Accesses
1 Citations

Abstract

Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and error-prone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming pro cess to detect modeling errors. In this paper we present the first approach for verifying signature specifications using the Spin model checker. The signatures are modeled in the specification language EDL which leans on colored Petri nets. We show how the signature specification is transformed into a Promela model and how characteristic specification errors can be found by Spin.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)
Chapter Google Scholar
Meier, M., Schmerl, S.: Improving the Efficiency of Misuse Detection. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 188–205. Springer, Heidelberg (2005)
Chapter Google Scholar
Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 46–55. IEEE Computer Society Press, Hilton Head (2000)
Google Scholar
Schmerl, S., König, H.: Towards Systematic Signature Testing. In: Petrenko, A., Veanes, M., Tretmans, J., Grieskamp, W. (eds.) TestCom/FATES 2007. LNCS, vol. 4581, pp. 276–291. Springer, Heidelberg (2007)
Chapter Google Scholar
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10(1/2), 71–104 (2002)
Article Google Scholar
Paxson, V.: Bro - A System for Detecting Network Intruders in Real-Time. Computer Networks 31, 23–24 (1999)
Article Google Scholar
Kumar S.: Classification and Detection of Computer Intrusions. PhD Thesis, Department of Computer Science, Purdue University, West Lafayette, IN, USA (August 1995)
Google Scholar
Ranum, M.J.: Challenges for the Future of Intrusion Detection. In: 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Zürich (2002) (invited Talk)
Google Scholar
Finite domain solver: http://www.gprolog.org/manual/html_node/index.html
GNU PROLOG: http://www.gprolog.org/manual/html_node/index.html
Holzmann, J.G.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley Professional, Reading (2003)
Google Scholar
Nanda, S., Chiueh, T.: Execution Trace-Driven Automated Attack Signature Generation. In: Proceedings of 24th Annual Computer Security Applications Conference (AC-SAC), Anaheim, CA, USA, pp. 195–204. IEEE Computer Society, Los Alamitos (2008)
Google Scholar
Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In: Proceedings of 12th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (November 2005)
Google Scholar

Download references

Author information

Authors and Affiliations

Computer Science Department, Brandenburg University of Technology Cottbus, P.O. Box 10 13 44, 03013, Cottbus, Germany
Sebastian Schmerl, Michael Vogel & Hartmut König

Authors

Sebastian Schmerl
View author publications
You can also search for this author in PubMed Google Scholar
Michael Vogel
View author publications
You can also search for this author in PubMed Google Scholar
Hartmut König
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Space Science Division, NASA Ames Research Center, Mail Stop 269-2, 94035, Moffett Field, CA, USA
Corina S. Păsăreanu

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Schmerl, S., Vogel, M., König, H. (2009). Identifying Modeling Errors in Signatures by Model Checking. In: Păsăreanu, C.S. (eds) Model Checking Software. SPIN 2009. Lecture Notes in Computer Science, vol 5578. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02652-2_18

Download citation

DOI: https://doi.org/10.1007/978-3-642-02652-2_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02651-5
Online ISBN: 978-3-642-02652-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics