Abstract
We introduce Lola 2.0, a stream-based specification language for the precise description of complex security properties in network traffic. The language extends the specification language Lola with two new features: template stream expressions, which allow input data to be carried along the stream, and dynamic stream generation, where new monitors can be invoked during the monitoring process for the monitoring of new subtasks on their own time scale. Lola 2.0 is simple and expressive: it combines the ease-of-use of rule-based specification languages like Snort with the expressiveness of heavy-weight scripting languages or temporal logics previously needed for the description of complex stateful dependencies and statistical measures. Lola 2.0 specifications are monitored by incrementally constructing output streams from input streams, while maintaining a store of partially evaluated expressions. We demonstrate the flexibility and expressivity of Lola 2.0 using a prototype implementation on several practical examples.
Keywords
This work was partially supported by the German Research Foundation (DFG) in the Collaborative Research Center 1223 and by the Deutsche Telekom Foundation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
In Fig. 1 the extension stream of badHttpRequestInvoke is defined explicitly in the output stream. This could also have been defined separately by a declaration of another boolean output stream with the same condition.
- 3.
- 4.
References
Ahmed, A., Lisitsa, A., Dixon, C.: A misuse-based network intrusion detection system using temporal logic and stream processing. In: 2011 5th International Conference on Network and System Security (NSS), pp. 1–8, September 2011
Ahmed, A., Lisitsa, A., Dixon, C.: TeStID: a high performance temporal intrusion detection system. In: Proceedings of the ICIMP, pp. 20–26 (2013)
Barringer, H., Falcone, Y., Havelund, K., Reger, G., Rydeheard, D.: Quantified event automata: towards expressive and efficient runtime monitors. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 68–84. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32759-9_9
Barringer, H., Rydeheard, D.E., Havelund, K.: Rule systems for run-time monitoring: from eagle to ruler. J. Log. Comput. 20(3), 675–706 (2010). http://dx.doi.org/10.1093/logcom/exn076
Berry, G.: Proof, Language, and Interaction: Essays in Honour of Robin Milner, Chap. The Foundations of Esterel, pp. 425–454. MIT Press, Cambridge (2000)
Bozzelli, L., Sánchez, C.: Foundations of boolean stream runtime verification. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 64–79. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11164-3_6
D’Angelo, B., Sankaranarayanan, S., Sánchez, C., Robinson, W., Finkbeiner, B., Sipma, H.B., Mehrotra, S., Manna, Z.: Lola: runtime monitoring of synchronous systems. In: 12th International Symposium on Temporal Representation and Reasoning (TIME 2005), pp. 166–174. IEEE Computer Society Press, June 2005
Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240–250, May 1992
Faymonville, P., Finkbeiner, B., Peled, D.: Monitoring parametric temporal logic. In: McMillan, K.L., Rival, X. (eds.) VMCAI 2014. LNCS, vol. 8318, pp. 357–375. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54013-4_20
Gautier, T., Guernic, P., Besnard, L.: SIGNAL: a declarative language for synchronous programming of real-time systems. In: Kahn, G. (ed.) FPCA 1987. LNCS, vol. 274, pp. 257–277. Springer, Heidelberg (1987). doi:10.1007/3-540-18317-5_15
Goubault-Larrecq, J., Olivain, J.: A smell of Orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89247-2_1
Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous data-flow programming language lustre. Proc. IEEE 79(9), 1305–1320. citeseer.ist.psu.edu/halbwachs91synchronous.html
Havelund, K.: Rule-based runtime verification revisited. Int. J. Softw. Tools Technol. Transf. 17(2), 143–170 (2015). http://dx.doi.org/10.1007/s10009-014-0309-2
Lee, W., Park, C.T., Stolfo, S.J.: Automated intrusion detection using NFR: methods and experiences. In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 9–12 April 1999, pp. 63–72. USENIX (1999). http://www.usenix.org/publications/library/proceedings/detection99/lee.html
Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 120–132 (1999)
Naldurg, P., Sen, K., Thati, P.: A temporal logic based framework for intrusion detection. In: Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 359–376. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30232-2_23
Olivain, J., Goubault-Larrecq, J.: The Orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005). doi:10.1007/11513988_28
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463. http://dx.doi.org/10.1016/S1389-1286(99)00112-7
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration. LISA 1999, USENIX Association, Berkeley, pp. 229–238 (1999). http://dl.acm.org/citation.cfm?id=1039834.1039864
Roger, M., Goubault-Larrecq, J.: Log auditing through model-checking. In: Computer Security Foundations Workshop, p. 0220. IEEE (2001)
Rosu, G., Chen, F.: Semantics and algorithms for parametric monitoring. Log. Methods Comput. Sci. 8(1) (2012). http://dx.doi.org/10.2168/LMCS-8(1:9)2012
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Faymonville, P., Finkbeiner, B., Schirmer, S., Torfah, H. (2016). A Stream-Based Specification Language for Network Monitoring. In: Falcone, Y., Sánchez, C. (eds) Runtime Verification. RV 2016. Lecture Notes in Computer Science(), vol 10012. Springer, Cham. https://doi.org/10.1007/978-3-319-46982-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-46982-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46981-2
Online ISBN: 978-3-319-46982-9
eBook Packages: Computer ScienceComputer Science (R0)