Abstract
We present a formal framework for the analysis of intrusion detection systems (IDS) that employ declarative rules for attack recognition, e.g. specification-based intrusion detection. Our approach allows reasoning about the effectiveness of an IDS. A formal framework is built with the theorem prover ACL2 to analyze and improve detection rules of IDSs. SHIM (System Health and Intrusion Monitoring) is used as an exemplary specification-based IDS to validate our approach. We have formalized all specifications of a host-based IDS in SHIM which together with a trusted file policy enabled us to reason about the soundness and completeness of the specifications by proving that the specifications satisfy the policy under various assumptions. These assumptions are properties of the system that are not checked by the IDS. Analysis of these assumptions shows the beneficial role of SHIM in improving the security of the system. The formal framework and analysis methodology will provide a scientific basis for one to argue that an IDS can detect known and unknown attacks by arguing that the IDS detects all attacks that would violate a policy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Boyer, R.S., Moore, J.S.: A computational logic. Academic Press, New York (1979)
Cert coordination center, advisory ca-1999-03, http://www.cert.org/advisories/CA-99-03.html
Ko, C.C.W.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach. Ph.D. Thesis (August 1996)
Ko, C.: Logic induction of valid behavior specifications for intrusion detection. In: Proc. of IEEE Symposium on Security and Privacy (2000)
Ko, C., Rowe, J., Brutch, P., Levitt, K.: System Health and Intrusion Monitoring Using a hierarchy of Constraints. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 190. Springer, Heidelberg (2001)
Ghosh, A.K., Schwartzbard, A.: A Study in Using Neural Networks for Anomaly and Misuse Detection. In: Proc. of USENIX Security Symposium (1999)
Ko, C., Fink, G., Levitt, K.: Automated detection of vulnerabilities in privileged programs by execution monitoring. In: Proceedings of the Tenth Computer Security Applications Conference, Orlando, FL, December 1994, pp. 134–144. IEEE Computer Society Press, Los Alamitos (1994)
Ko, C., Ruschitzka, M., Levitt, K.: Execution Monitoring of Security-critical Programs in Distributed Systems: A Specification-based Approach. In: Proc. of the 1997 IEEE Symposium on Security and Privacy, Oakland, California, May 1997, pp. 134–144 (1997)
Kaufmann, M., Manolios, P., Moore, J.S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Dordrecht (2000)
Ko, C., Rowe, J., Brutch, P., Levitt, K.: System Health and Intrusion Monitoring Using a hierarchy of Constraints. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 190. Springer, Heidelberg (2001)
Kim, G., Spafford, E.H.: The design of a system integrity monitor: Tripwire. Technical report CSD-TR-93-071, Purdue University (November 1993)
Lin, J.-L., Wang, X.S., Jajodia, S.: Abstraction-based misuse detection: highlevel specifications and adaptable strategies. In: Proc. of IEEE Computer Security Foundations Workshop (2002)
Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: Proc. of IEEE Symposium on Security and Privacy (1999)
Bishop, M.A.: Computer Security: Art and Science. Addison Wesley Longman, Amsterdam (2002)
Kaufmann, M., Manolios, P., Moore, J.S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Dordrecht (June 2000)
Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. of USENIX LISA 1999, Seattle, Washington, November 1999, pp. 229–238 (1999)
Pouzol, J.P., Ducasse, M.: Formal specication of intrusion signatures and detection rules. In: Proc. of IEEE Computer Security Foundations Workshop (2002)
Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: Proc. of the 20th National Information Systems Security Conference, Baltimore, Maryland, October 1997, pp. 353–365 (1997)
Roger, M., Goubault-Larrecq, J.: Log auditing through model-checking. In: Proc.of 14th IEEE Computer Security Foundations Workshop, pp. 220–234 (2001)
Sekar, R., Cai, Y., Segal, M.: A Specification-Based Approach for Building Survivable Systems. In: Proc. 21st NIST-NCSC National Information Systems Security Conference (1998)
Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: Proc. of IEEE Symposium on Security and Privacy (2001)
Uppuluri, P., Sekar, R.: Experiences with Specification-based intrusion detection. In: Proc. of Recent Advances in Intrusion detection (2001)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy (2001)
Zerkle, D., Levitt, K.: NetKuang-A Multi-host Configuration Vulnerability Checker. In: Proc of Sixth USENIX Security Symposium (1996)
Mounji, A., Le Charlier, B.: Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection and Configuration Analysis. In: Proc.of the ISOC 1997 Symposium on Network and Distributed System Security (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Song, T., Ko, C., Alves-Foss, J., Zhang, C., Levitt, K. (2004). Formal Reasoning About Intrusion Detection Systems. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive