Skip to main content
SpringerLink
Log in

Formal Reasoning About Intrusion Detection Systems

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Included in the following conference series:

Abstract

We present a formal framework for the analysis of intrusion detection systems (IDS) that employ declarative rules for attack recognition, e.g. specification-based intrusion detection. Our approach allows reasoning about the effectiveness of an IDS. A formal framework is built with the theorem prover ACL2 to analyze and improve detection rules of IDSs. SHIM (System Health and Intrusion Monitoring) is used as an exemplary specification-based IDS to validate our approach. We have formalized all specifications of a host-based IDS in SHIM which together with a trusted file policy enabled us to reason about the soundness and completeness of the specifications by proving that the specifications satisfy the policy under various assumptions. These assumptions are properties of the system that are not checked by the IDS. Analysis of these assumptions shows the beneficial role of SHIM in improving the security of the system. The formal framework and analysis methodology will provide a scientific basis for one to argue that an IDS can detect known and unknown attacks by arguing that the IDS detects all attacks that would violate a policy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Boyer, R.S., Moore, J.S.: A computational logic. Academic Press, New York (1979)

    MATH  Google Scholar 

  2. Cert coordination center, advisory ca-1999-03, http://www.cert.org/advisories/CA-99-03.html

  3. Ko, C.C.W.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach. Ph.D. Thesis (August 1996)

    Google Scholar 

  4. Ko, C.: Logic induction of valid behavior specifications for intrusion detection. In: Proc. of IEEE Symposium on Security and Privacy (2000)

    Google Scholar 

  5. Ko, C., Rowe, J., Brutch, P., Levitt, K.: System Health and Intrusion Monitoring Using a hierarchy of Constraints. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 190. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. Ghosh, A.K., Schwartzbard, A.: A Study in Using Neural Networks for Anomaly and Misuse Detection. In: Proc. of USENIX Security Symposium (1999)

    Google Scholar 

  7. Ko, C., Fink, G., Levitt, K.: Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proceedings of the Tenth Computer Security Applications Conference, Orlando, FL, December 1994, pp. 134–144. IEEE Computer Society Press, Los Alamitos (1994)

    Chapter  Google Scholar 

  8. Ko, C., Ruschitzka, M., Levitt, K.: Execution Monitoring of Security-critical Programs in Distributed Systems: A Specification-based Approach. In: Proc. of the 1997 IEEE Symposium on Security and Privacy, Oakland, California, May 1997, pp. 134–144 (1997)

    Google Scholar 

  9. Kaufmann, M., Manolios, P., Moore, J.S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Dordrecht (2000)

    Google Scholar 

  10. Ko, C., Rowe, J., Brutch, P., Levitt, K.: System Health and Intrusion Monitoring Using a hierarchy of Constraints. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 190. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  11. Kim, G., Spafford, E.H.: The design of a system integrity monitor: Tripwire. Technical report CSD-TR-93-071, Purdue University (November 1993)

    Google Scholar 

  12. Lin, J.-L., Wang, X.S., Jajodia, S.: Abstraction-based misuse detection: highlevel specifications and adaptable strategies. In: Proc. of IEEE Computer Security Foundations Workshop (2002)

    Google Scholar 

  13. Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: Proc. of IEEE Symposium on Security and Privacy (1999)

    Google Scholar 

  14. Bishop, M.A.: Computer Security: Art and Science. Addison Wesley Longman, Amsterdam (2002)

    Google Scholar 

  15. Kaufmann, M., Manolios, P., Moore, J.S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Dordrecht (June 2000)

    Google Scholar 

  16. Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. of USENIX LISA 1999, Seattle, Washington, November 1999, pp. 229–238 (1999)

    Google Scholar 

  17. Pouzol, J.P., Ducasse, M.: Formal specication of intrusion signatures and detection rules. In: Proc. of IEEE Computer Security Foundations Workshop (2002)

    Google Scholar 

  18. Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proc. of the 20th National Information Systems Security Conference, Baltimore, Maryland, October 1997, pp. 353–365 (1997)

    Google Scholar 

  19. Roger, M., Goubault-Larrecq, J.: Log auditing through model-checking. In: Proc.of 14th IEEE Computer Security Foundations Workshop, pp. 220–234 (2001)

    Google Scholar 

  20. Sekar, R., Cai, Y., Segal, M.: A Specification-Based Approach for Building Survivable Systems. In: Proc. 21st NIST-NCSC National Information Systems Security Conference (1998)

    Google Scholar 

  21. Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: Proc. of IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  22. Uppuluri, P., Sekar, R.: Experiences with Specification-based intrusion detection. In: Proc. of Recent Advances in Intrusion detection (2001)

    Google Scholar 

  23. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  24. Zerkle, D., Levitt, K.: NetKuang-A Multi-host Configuration Vulnerability Checker. In: Proc of Sixth USENIX Security Symposium (1996)

    Google Scholar 

  25. Mounji, A., Le Charlier, B.: Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection and Configuration Analysis. In: Proc.of the ISOC 1997 Symposium on Network and Distributed System Security (1997)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Laboratory, University of California, Davis

    Tao Song & Karl Levitt

  2. NAI Labs, Network Associates Inc., Santa Clara, CA

    Calvin Ko

  3. Center for secure and dependable system, University of Idaho,  

    Jim Alves-Foss

  4. Computer Science Department, California State University, Sacramento

    Cui Zhang

Authors
  1. Tao Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Calvin Ko
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jim Alves-Foss
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Karl Levitt
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson  & Magnus Almgren  & 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Song, T., Ko, C., Alves-Foss, J., Zhang, C., Levitt, K. (2004). Formal Reasoning About Intrusion Detection Systems. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation