ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection

  • Cédric Michel
  • Ludovic Mé
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 65)


ADeLe is an attack description language designed to model a database of known attack scenarios. As the descriptions might contain executable attack code, it allows one to test the efficiency of given Intrusion Detection Systems (IDS). Signatures can also be extracted from the descriptions to configure a particular IDS.


Intrusion detection attack description language 


  1. [1]
    M. Bishop. A standard audit trail format. Technical report, Department of Computer Science, University of California at Davis, 1995.Google Scholar
  2. [2]
    F. Cuppens and R. Ortalo. Lambda: A language to model a database for detection of attacks. In Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (RAID’ 2000), October 2000.Google Scholar
  3. [3]
    D. Curry. Intrusion detection message exchange format, extensible markup language (xml) document type definition. draft-ietf-idwg-idmef-xml-02.txt, December 2000.Google Scholar
  4. [4]
    R. Deraison. The nessus attack scripting language reference guide., September 1999.
  5. [5]
    S. T. Eckmann, G. Vigna, and R. A. Kemmerer. Statl: An attack language for state-based intrusion detection. In Proceedings of the ACM Workshop on Intrusion Detection, November 2000.Google Scholar
  6. [6]
    R. Feiertag, C. Kahn, P. Porras, D. Schnackenberg, S. Staniford-Chen, and B. Tung. A common intrusion specification language (cisl). specification draft,, June 1999.
  7. [7]
    J. D. Howard and T. A. Longstaff. A common language for computer security incidents. Technical Report SAND98-8667, Sandia National Laboratories, October 1998.Google Scholar
  8. [8]
    V. Jacobson, C. Leres, and S. McCanne. Tcpdump 3.5 documentation., 2000.
  9. [9]
    K. Kendall. A database of computer attacks for the evaluation of intrusion detection systems. Master’s thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, June 1999.Google Scholar
  10. [10]
    S. Kumar and E. H. Spafford. A software architecture to support misuse intrusion detection. Technical Report CSD-TR-95-009, The COAST Project Department of Computer Sciences, Purdue University, 1995.Google Scholar
  11. [11]
    L. M’e. Gassata, a genetic algorithm as an alternative tool for security audit trails analysis. In Proceedings of the first international workshop on the Recent Advances in Intrusion Detection (RAID’98), 1998.Google Scholar
  12. [12]
    V. Paxson. Bro: A system for detecting network intruders in real-time. In Proceedings of the 7th Usenix Security Symposium, January 1998.Google Scholar
  13. [13]
    M. Roesch. Snort-lightweight intrusion detection for networks. In Proceedings of the USENIX LISA’ 99 conference, November 1999.Google Scholar
  14. [14]
    Secure Networks. Custom Attack Simulation Language (CASL), January 1998.Google Scholar
  15. [15]
    Sun Microsystems, Inc. Sunshield basic security module guide. Solaris Documentation.Google Scholar
  16. [16]
    E. Turner and R. Zachary. Securenet pro software’s snp-l scripting system. White paper,, July 2000.
  17. [17]
    G. Vigna, S. T. Eckmann, and R. A. Kemmerer. Attack languages. In Proceedings of the IEEE Information Survivability Workshop, October 2000.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2001

Authors and Affiliations

  • Cédric Michel
    • 1
  • Ludovic Mé
    • 1
  1. 1.Cesson Sévigné CedexFrance

Personalised recommendations