Identifying Modeling Errors in Signatures by Model Checking

  • Sebastian Schmerl
  • Michael Vogel
  • Hartmut König
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5578)


Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and error-prone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming pro cess to detect modeling errors. In this paper we present the first approach for verifying signature specifications using the Spin model checker. The signatures are modeled in the specification language EDL which leans on colored Petri nets. We show how the signature specification is transformed into a Promela model and how characteristic specification errors can be found by Spin.


Computer Security Intrusion Detection Misuse Detection Attack Signatures Signature Verification Promela Spin model checker 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Meier, M., Schmerl, S.: Improving the Efficiency of Misuse Detection. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 188–205. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 46–55. IEEE Computer Society Press, Hilton Head (2000)Google Scholar
  4. 4.
    Schmerl, S., König, H.: Towards Systematic Signature Testing. In: Petrenko, A., Veanes, M., Tretmans, J., Grieskamp, W. (eds.) TestCom/FATES 2007. LNCS, vol. 4581, pp. 276–291. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10(1/2), 71–104 (2002)CrossRefGoogle Scholar
  6. 6.
    Paxson, V.: Bro - A System for Detecting Network Intruders in Real-Time. Computer Networks 31, 23–24 (1999)CrossRefGoogle Scholar
  7. 7.
    Kumar S.: Classification and Detection of Computer Intrusions. PhD Thesis, Department of Computer Science, Purdue University, West Lafayette, IN, USA (August 1995) Google Scholar
  8. 8.
    Ranum, M.J.: Challenges for the Future of Intrusion Detection. In: 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Zürich (2002) (invited Talk) Google Scholar
  9. 9.
  10. 10.
  11. 11.
    Holzmann, J.G.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley Professional, Reading (2003)Google Scholar
  12. 12.
    Nanda, S., Chiueh, T.: Execution Trace-Driven Automated Attack Signature Generation. In: Proceedings of 24th Annual Computer Security Applications Conference (AC-SAC), Anaheim, CA, USA, pp. 195–204. IEEE Computer Society, Los Alamitos (2008)Google Scholar
  13. 13.
    Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In: Proceedings of 12th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (November 2005) Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Sebastian Schmerl
    • 1
  • Michael Vogel
    • 1
  • Hartmut König
    • 1
  1. 1.Computer Science DepartmentBrandenburg University of Technology CottbusCottbusGermany

Personalised recommendations