A Stream-Based Specification Language for Network Monitoring

  • Peter Faymonville
  • Bernd Finkbeiner
  • Sebastian Schirmer
  • Hazem Torfah
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10012)

Abstract

We introduce Lola 2.0, a stream-based specification language for the precise description of complex security properties in network traffic. The language extends the specification language Lola with two new features: template stream expressions, which allow input data to be carried along the stream, and dynamic stream generation, where new monitors can be invoked during the monitoring process for the monitoring of new subtasks on their own time scale. Lola 2.0 is simple and expressive: it combines the ease-of-use of rule-based specification languages like Snort with the expressiveness of heavy-weight scripting languages or temporal logics previously needed for the description of complex stateful dependencies and statistical measures. Lola 2.0 specifications are monitored by incrementally constructing output streams from input streams, while maintaining a store of partially evaluated expressions. We demonstrate the flexibility and expressivity of Lola 2.0 using a prototype implementation on several practical examples.

Keywords

Runtime verification Monitoring Network intrusion detection 

References

  1. 1.
    Ahmed, A., Lisitsa, A., Dixon, C.: A misuse-based network intrusion detection system using temporal logic and stream processing. In: 2011 5th International Conference on Network and System Security (NSS), pp. 1–8, September 2011Google Scholar
  2. 2.
    Ahmed, A., Lisitsa, A., Dixon, C.: TeStID: a high performance temporal intrusion detection system. In: Proceedings of the ICIMP, pp. 20–26 (2013)Google Scholar
  3. 3.
    Barringer, H., Falcone, Y., Havelund, K., Reger, G., Rydeheard, D.: Quantified event automata: towards expressive and efficient runtime monitors. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 68–84. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32759-9_9 CrossRefGoogle Scholar
  4. 4.
    Barringer, H., Rydeheard, D.E., Havelund, K.: Rule systems for run-time monitoring: from eagle to ruler. J. Log. Comput. 20(3), 675–706 (2010). http://dx.doi.org/10.1093/logcom/exn076
  5. 5.
    Berry, G.: Proof, Language, and Interaction: Essays in Honour of Robin Milner, Chap. The Foundations of Esterel, pp. 425–454. MIT Press, Cambridge (2000)Google Scholar
  6. 6.
    Bozzelli, L., Sánchez, C.: Foundations of boolean stream runtime verification. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 64–79. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11164-3_6 Google Scholar
  7. 7.
    D’Angelo, B., Sankaranarayanan, S., Sánchez, C., Robinson, W., Finkbeiner, B., Sipma, H.B., Mehrotra, S., Manna, Z.: Lola: runtime monitoring of synchronous systems. In: 12th International Symposium on Temporal Representation and Reasoning (TIME 2005), pp. 166–174. IEEE Computer Society Press, June 2005Google Scholar
  8. 8.
    Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240–250, May 1992Google Scholar
  9. 9.
    Faymonville, P., Finkbeiner, B., Peled, D.: Monitoring parametric temporal logic. In: McMillan, K.L., Rival, X. (eds.) VMCAI 2014. LNCS, vol. 8318, pp. 357–375. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54013-4_20 CrossRefGoogle Scholar
  10. 10.
    Gautier, T., Guernic, P., Besnard, L.: SIGNAL: a declarative language for synchronous programming of real-time systems. In: Kahn, G. (ed.) FPCA 1987. LNCS, vol. 274, pp. 257–277. Springer, Heidelberg (1987). doi:10.1007/3-540-18317-5_15 CrossRefGoogle Scholar
  11. 11.
    Goubault-Larrecq, J., Olivain, J.: A smell of Orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89247-2_1 CrossRefGoogle Scholar
  12. 12.
    Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous data-flow programming language lustre. Proc. IEEE 79(9), 1305–1320. citeseer.ist.psu.edu/halbwachs91synchronous.html
  13. 13.
    Havelund, K.: Rule-based runtime verification revisited. Int. J. Softw. Tools Technol. Transf. 17(2), 143–170 (2015). http://dx.doi.org/10.1007/s10009-014-0309-2
  14. 14.
    Lee, W., Park, C.T., Stolfo, S.J.: Automated intrusion detection using NFR: methods and experiences. In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 9–12 April 1999, pp. 63–72. USENIX (1999). http://www.usenix.org/publications/library/proceedings/detection99/lee.html
  15. 15.
    Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 120–132 (1999)Google Scholar
  16. 16.
    Naldurg, P., Sen, K., Thati, P.: A temporal logic based framework for intrusion detection. In: Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 359–376. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30232-2_23 CrossRefGoogle Scholar
  17. 17.
    Olivain, J., Goubault-Larrecq, J.: The Orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005). doi:10.1007/11513988_28 CrossRefGoogle Scholar
  18. 18.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463. http://dx.doi.org/10.1016/S1389-1286(99)00112-7
  19. 19.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration. LISA 1999, USENIX Association, Berkeley, pp. 229–238 (1999). http://dl.acm.org/citation.cfm?id=1039834.1039864
  20. 20.
    Roger, M., Goubault-Larrecq, J.: Log auditing through model-checking. In: Computer Security Foundations Workshop, p. 0220. IEEE (2001)Google Scholar
  21. 21.
    Rosu, G., Chen, F.: Semantics and algorithms for parametric monitoring. Log. Methods Comput. Sci. 8(1) (2012). http://dx.doi.org/10.2168/LMCS-8(1:9)2012

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Peter Faymonville
    • 1
  • Bernd Finkbeiner
    • 1
  • Sebastian Schirmer
    • 1
  • Hazem Torfah
    • 1
  1. 1.Saarland UniversitySaarbrückenGermany

Personalised recommendations