From Declarative Signatures to Misuse IDS

Pouzol, Jean-Philippe; Ducasé, Mireille

doi:10.1007/3-540-45474-8_1

Jean-Philippe Pouzol⁷ &
Mireille Ducasé⁷

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2212))

Included in the following conference series:

International Workshop on Recent Advances in Intrusion Detection

669 Accesses
12 Citations

Abstract

In many existing misuse intrusion detection systems, intrusion signatures are very close to the detection algorithms. As a consequence, they contain too many cumbersome details. Recent work have proposed declarative signature languages that raise the level of abstraction when writing signatures. However, these languages do not always come with operational support. In this article, we show how to transform such declarative signatures into operational ones. This process points out several technical details which must be considered with care when performing the translation by hand, but which can be systematically handled.

A signature specification language named Sutekh is proposed. Its declarative semantics is precisely described. To produce rules for existing rule-based IDS from Sutekh signatures, an algorithm, based on the construction of a state-transition diagram, is given.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

S. Axelsson. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99-15, Depart. of Computer Engineering, Chalmers University, march 2000.
Google Scholar
CERT Coordination Center. Advisory CA-1996-16-Vulnerabilities in Solaris admintool. http://www.cert.org/advisories/CA-1996-16.html.
S. C. Chakravarthy, V. Krishnaprasad, E. Anwar, and S.-K. Kim. Composite Events for Active Databases: Semantics, Contexts and Detection. In Proc. of the 20th International Conference on Very Large DataBases (VLDB94), 1994.
Google Scholar
F. Cuppens and R. Ortalo. LAMBDA: A Language to Model a Database for Detection of Attacks. In Proc. of RAID’00, LNCS vol. 1907, Springer, 2000.
Google Scholar
S. T. Eckmann, G. Vigna, and R. A. Kemmerer. STATL: An Attack Language for State-based Intrusion Detection. In Proc. of ACM Workshop on Intrusion Detection, Athens, Greece, Nov 2000.
Google Scholar
F. Gérard. Définition et implémentation d’un langage d’analyse d’audit trails. Faculté Universitaire Notre-Dame de la Paix, Namur, Belgium-http://www.info.fundp.ac.be/~amo/publications.html, 1998.
Google Scholar
N. Habra, B. Le Charlier, A. Mounji, and I. Mathieu. ASAX: Software Architecture and Rule-based Language for Universal Audit Trail Analysis. In Proc. of (ESORICS)’92. Springer-Verlag, 1992.
Google Scholar
K. Ilgun and A. Kemmerer ans P. A. Porras. State Transition Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on Software Engineering, 21(3):181–199, march 1995.
Article Google Scholar
S. Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Purdue University, West Lafayette, 1995.
Google Scholar
S. Kumar and E. H. Spafford. A Pattern Matching Model for Misuse Intrusion Detection. In Proc. of the 17th National Computer Security Conference, 1994.
Google Scholar
J.-L. Lin and X. SeanWang amd S. Jajodia. Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies. In Proc. of the 11th Computer Security Foundations Workshop. IEEE Computer Society Press, 1998.
Google Scholar
U. Lindqvist and P. A. Porras. Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In Proc. of the IEEE Symposium on Security and Privacy, 1999.
Google Scholar
C. Michel and L. Mé. ADeLe: an Attack Description Language for Knowledgebased Intrusion Detection. In Proc. of the 16th International Conference on Information Security, 2001.
Google Scholar
A. Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. PhD thesis, Facultés Notre-Dame de la Paix-Namur (Belgium), 1997.
Google Scholar
P. G. Neumann and P. A. Porras. Experience with Emerald to Date. In Proc. of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, 1999.
Google Scholar
Sun MicroSystem. SunSHIELD Basic Security Module Guide, Feb 2000. Part Number 806-1789-10.
Google Scholar

Download references

Author information

Authors and Affiliations

IRISA/INSA de Rennes - Campus Universitaire de Beaulieu, 35042, Rennes Cedex, France
Jean-Philippe Pouzol & Mireille Ducasé

Authors

Jean-Philippe Pouzol
View author publications
You can also search for this author in PubMed Google Scholar
Mireille Ducasé
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Georgia Institute of Technology, College of Computing, 801 Atlantic Drive, Atlanta, Georgia, 30332-0280, USA
Wenke Lee
SUPELEC, BP 28, 35511, Cesson Sevigne Cedex, France
Ludovic Mé
IBM Research, Zurich Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland
Andreas Wespi

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Pouzol, JP., Ducasé, M. (2001). From Declarative Signatures to Misuse IDS. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_1

Download citation

DOI: https://doi.org/10.1007/3-540-45474-8_1
Published: 27 September 2001
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics