Abstract
Integrating security in the development and operation of information systems is the cornerstone of SecDevOps. From an operational perspective, one of the key activities for achieving such an integration is the detection of incidents (such as intrusions), especially in an automated manner. However, one of the stumbling blocks of an automated approach to intrusion detection is the management of the large volume of information typically produced by this type of solution. Existing works on the topic have concentrated on the reduction of volume by increasing the precision of the detection approach, thus lowering the rate of false alarms. However, another less explored possibility is to reduce the volume of evidence gathered for each alarm raised. This chapter explores the concept of intrusion detection from the angle of complex event processing. It provides a formalization of the notion of pattern matching in a sequence of events produced by an arbitrary system, by framing the task as a runtime monitoring problem. It then focuses on the topic of incident reporting and proposes a technique to automatically extract relevant elements of a stream that explain the occurrence of an intrusion. These relevant elements generally amount to a small fraction of all the data ingested for an alarm to be triggered and thus help reduce the volume of evidence that needs to be examined by manual means. The approach is experimentally evaluated on a proof-of-concept implementation of these principles.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The term “stateless” may seem odd since \(\iota _\pi \) actually has one state; however, this means that the output of \(\pi \) does not depend on its internal state, precisely since it is always in the same state.
- 2.
As a matter of fact, neither of these three elements could be taken out without violating the condition for a state function. In particular, knowledge of \(\lvert {\overline {\sigma }} \rvert _a\) and \(\lvert {\overline {\sigma }} \rvert _b\) is not sufficient to determine the monitor’s verdict, as the order in which the symbols occur may or may not result in a prefix of \({\overline {\sigma }}\) satisfying the condition.
- 3.
This worst case is arguably contrived, as it would require each successive event of the stream to place the corresponding new monitor instance in a different state as that of all previous monitors.
- 4.
Note that the function produces exactly one output front for each input front; thus, it cannot insert or delete events like some other processors.
- 5.
We remind that because of the presence of box #1, the pipeline only produces one output event for each two input events.
- 6.
References
Snort: Network intrusion detection and prevention. https://www.snort.org. Accessed 28 Sept 2022
The Zeek network security monitor. https://zeek.org. Accessed 28 Sept 2022
J.R. Abrial, The B-Book: Assigning Programs to Meanings (Cambridge University Press, 2005)
U. Adhikari, T.H. Morris, S. Pan, Applying non-nested generalized exemplars classification for cyber-power event and intrusion detection. IEEE Trans. Smart Grid 9(5), 3928–3941 (2018). https://doi.org/10.1109/TSG.2016.2642787
A. Ahmed, A. Lisitsa, C. Dixon, A misuse-based network intrusion detection system using temporal logic and stream processing, in 5th International Conference on Network and System Security, NSS 2011, Milan, Italy, 6–8 Sept 2011, ed. by P. Samarati, S. Foresti, J. Hu, G. Livraga (IEEE, 2011), pp. 1–8. https://doi.org/10.1109/ICNSS.2011.6059953
M.A. Albahar, Recurrent neural network model based on a new regularization technique for real-time intrusion detection in SDN environments. Secur. Commun. Netw. (2019). https://www.scopus.com/inward/record.uri?eid=2-s2.0-85076009173&doi=10.1155%2f2019%2f8939041&partnerID=40&md5=7a20449e6b871b80dedcded928a20e01.
G.E. Andrews, Number Theory (Dover, 1994)
H. Barringer, Y. Falcone, K. Havelund, G. Reger, D.E. Rydeheard, Quantified event automata: towards expressive and efficient runtime monitors, in FM, ed. by D. Giannakopoulou, D. Méry. Lecture Notes in Computer Science, vol. 7436 (Springer, 2012), pp. 68–84
E. Bartocci, Y. Falcone, A. Francalanza, G. Reger, Introduction to runtime verification, in Lectures on Runtime Verification – Introductory and Advanced Topics, ed. by E. Bartocci, Y. Falcone. Lecture Notes in Computer Science, vol. 10457 (Springer, 2018), pp. 1–33. https://doi.org/10.1007/978-3-319-75632-5_1
A. Bédard, S. Hallé, Model checking of stream processing pipelines, in 28th International Symposium on Temporal Representation and Reasoning, TIME 2021, 27–29 Sept 2021, Klagenfurt, Austria, ed. by C. Combi, J. Eder, M. Reynolds. LIPIcs, vol. 206, pp. 5:1–5:17. Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021). https://doi.org/10.4230/LIPIcs.TIME.2021.5
Q. Betti, R. Khoury, S. Hallé, B. Montreuil, Improving hyperconnected logistics with blockchains and smart contracts. IT Prof. 21(4), 25–32 (2019)
M.R. Boussaha, R. Khoury, S. Hallé, Monitoring of security properties using BeepBeep, in FPS, ed. by A. Imine, J.M. Fernandez, J. Marion, L. Logrippo, J. García-Alfaro. Lecture Notes in Computer Science, vol. 10723 (Springer, 2017), pp. 160–169
K. Bu, M. Xu, X. Liu, J. Luo, S. Zhang, M. Weng, Deterministic detection of cloning attacks for anonymous RFID systems. IEEE Trans. Ind. Inf. 11(6), 1255–1266 (2015). https://doi.org/10.1109/TII.2015.2482921
E. Börger, Abstract State Machines: A Method for High-Level System Design and Analysis (Springer, 2003)
H. Chen, Y. Fu, Z. Yan, Survey on big data analysis algorithms for network security measurement, in Network and System Security – 11th International Conference, NSS 2017, Helsinki, Finland, 21–23 Aug 2017, Proceedings, ed. by Z. Yan, R. Molva, W. Mazurczyk, R. Kantola. Lecture Notes in Computer Science, vol. 10394 (Springer, 2017), pp. 128–142. https://doi.org/10.1007/978-3-319-64701-2_10
Computer Emergency Response Team: TCP SYN flooding and IP spoofing attacks. Tech. Rep. CERT Advisory CA-1996-21, Cybersecurity & Infrastructure Security Agency (1996)
B. D’Angelo, S. Sankaranarayanan, C. Sánchez, W. Robinson, B. Finkbeiner, H.B. Sipma, S. Mehrotra, Z. Manna, LOLA: runtime monitoring of synchronous systems, in 12th International Symposium on Temporal Representation and Reasoning (TIME 2005), 23–25 June 2005, Burlington, Vermont, USA (IEEE Computer Society, 2005), pp. 166–174
M. Devarajan, L. Ravi, S. Vairavasundaram, V. Varadharajan, A.K. Sangaiah, Hybrid reasoning-based privacy-aware disease prediction support system. Comput. Electr. Eng. 73, 114–127 (2019). https://doi.org/10.1016/j.compeleceng.2018.11.009
V.L. Do, L. Fillatre, I. Nikiforov, P. Willett, Feature article: security of SCADA systems against cyber-physical attacks. IEEE Aerosp. Electron. Syst. Mag. 32(5), 28–45 (2017)
P. Faymonville, B. Finkbeiner, S. Schirmer, H. Torfah, A stream-based specification language for network monitoring, in Runtime Verification – 16th International Conference, RV 2016, Madrid, Spain, 23–30 Sept 2016, Proceedings, Y. Falcone, C. Sánchez. Lecture Notes in Computer Science, vol. 10012 (Springer, 2016), pp. 152–168. https://doi.org/10.1007/978-3-319-46982-9_10
C.J. Fung, Q. Zhu, FACID: a trust-based collaborative decision framework for intrusion detection networks. Ad Hoc Netw. 53, 17–31 (2016). https://doi.org/10.1016/j.adhoc.2016.08.014
J. Goubault-Larrecq, J. Olivain, A smell of Orchids, in Runtime Verification, 8th International Workshop, RV 2008, Budapest, Hungary, 30 March 2008. Selected Papers, ed. by M. Leucker. Lecture Notes in Computer Science, vol. 5289 (Springer, 2008), pp. 1–20. https://doi.org/10.1007/978-3-540-89247-2_1
R.A. Grimes, Danger: Remote access Trojans. Security Administrator (2002). https://technet.microsoft.com/en-us/library/dd632947.aspx. Accessed 29 Sept 2022
S. Hallé, Explainable queries over event logs, in 24th IEEE International Enterprise Distributed Object Computing Conference, EDOC 2020, Eindhoven, The Netherlands, 5–8 Oct 2020 (IEEE, 2020), pp. 171–180. https://doi.org/10.1109/EDOC49727.2020.00029
S. Hallé, S. Gaboury, B. Bouchard, Activity recognition through complex event processing: first findings, in Artificial Intelligence Applied to Assistive Technologies and Smart Environments, Papers from the 2016 AAAI Workshop, Phoenix, Arizona, USA, 12 Feb 2016, ed. by B. Bouchard, S. Giroux, A. Bouzouane, S. Gaboury. AAAI Workshops, vol. WS-16-01 (AAAI Press, 2016)
S. Hallé, R. Khoury, Writing domain-specific languages for BeepBeep. In: C. Colombo, Leucker, M. (eds.) RV. Lecture Notes in Computer Science, vol. 11237, pp. 447–457. Springer (2018)
S. Hallé, R. Khoury, M. Awesso, Streamlining the inclusion of computer experiments in a research paper. Computer 51(11), 78–89 (2018)
S. Hallé, H. Tremblay, Foundations of fine-grained explainability, in Computer Aided Verification – 33rd International Conference, CAV 2021, Virtual Event, July 20–23, 2021, Proceedings, Part II, ed. by A. Silva, K.R.M. Leino. Lecture Notes in Computer Science, vol. 12760 (Springer, 2021), pp. 500–523. https://doi.org/10.1007/978-3-030-81688-9_24
S. Hallé, R. Villemaire, Runtime enforcement of web service message contracts with data. IEEE Trans. Serv. Comput. 5(2), 192–206 (2012)
S. Hallé, Event Stream Processing with BeepBeep 3: Log Crunching and Analysis Made Easy. Presses de l’Université du Québec (2018)
S. Iqbal, M.L.M. Kiah, B. Dhaghighi, M. Hussain, S. Khan, M.K. Khan, K.R. Choo, On cloud security attacks: a taxonomy and intrusion detection and prevention as a service. J. Netw. Comput. Appl. 74, 98–120 (2016). https://doi.org/10.1016/j.jnca.2016.08.016
A. Kassem, Y. Falcone, Detecting fault injection attacks with runtime verification, in Proceedings of the 3rd ACM Workshop on Software Protection, SPRO@CCS 2019, ed. by P. Falcarin, M. Zunke, London, Uk, 15 Nov 2019 (ACM, 2019), pp. 65–76. https://doi.org/10.1145/3338503.3357724
R. Khoury, S. Hallé, O. Waldmann, Execution trace analysis using LTL-FOˆ+, in Leveraging Applications of Formal Methods, Verification and Validation: Discussion, Dissemination, Applications – 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, 10–14 Oct 2016, Proceedings, Part II, ed. by T. Margaria, B. Steffen. Lecture Notes in Computer Science, vol. 9953 (2016), pp. 356–362. https://doi.org/10.1007/978-3-319-47169-3_26
C. Kolias, G. Kambourakis, A. Stavrou, S. Gritzalis, Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset. IEEE Commun. Surv. Tutorials 18(1), 184–208 (2016). https://doi.org/10.1109/COMST.2015.2402161
T.R.B. Kushal, K. Lai, M.S. Illindala, Risk-based mitigation of load curtailment cyber attack using intelligent agents in a shipboard power system. IEEE Trans. Smart Grid 10(5), 4741–4750 (2019). https://doi.org/10.1109/TSG.2018.2867809
D. Kwon, H. Kim, D. An, H. Ju, DDoS attack volume forecasting using a statistical approach, in 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), Lisbon, Portugal, 8–12 May 2017 (IEEE, 2017), pp. 1083–1086. https://doi.org/10.23919/INM.2017.7987432
W. Li, W. Meng, L. Kwok, H.H. Ip, Enhancing collaborative intrusion detection networks against insider attacks using supervised intrusion sensitivity-based trust management model. J. Netw. Comput. Appl. 77, 135–145 (2017). https://doi.org/10.1016/j.jnca.2016.09.014
G. Liang, J. Zhao, F. Luo, S.R. Weller, Z.Y. Dong, A review of false data injection attacks against modern power systems. IEEE Trans. Smart Grid 8(4), 1630–1638 (2017). https://doi.org/10.1109/TSG.2015.2495133
G. Logeswari, S. Bose, T. Anitha, An intrusion detection system for SDN using machine learning. Intell. Autom. Soft Comput. 35(1), 867–880 (2023). https://www.scopus.com/inward/record.uri?eid=2-s2.0-85132133653&doi=10.32604%2fiasc.2023.026769&partnerID=40&md5=e0907be624a0048eda2192a876e4808e. Cited by: 0; All Open Access, Hybrid Gold Open Access
P. Mishra, E.S. Pilli, V. Varadharajan, U.K. Tupakula, Intrusion detection techniques in cloud environment: a survey. J. Netw. Comput. Appl. 77, 18–47 (2017). https://doi.org/10.1016/j.jnca.2016.10.015
R. Mitchell, I. Chen, Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE Trans. Dependable Secur. Comput. 12(1), 16–30 (2015), https://doi.org/10.1109/TDSC.2014.2312327
P. Moosbrugger, K.Y. Rozier, J. Schumann, R2U2: monitoring and diagnosis of security threats for unmanned aerial systems. Formal Methods Syst. Des. 51(1), 31–61 (2017). https://doi.org/10.1007/s10703-017-0275-x
P. Naldurg, K. Sen, P. Thati, A temporal logic based framework for intrusion detection, in Formal Techniques for Networked and Distributed Systems – FORTE 2004, 24th IFIP WG 6.1 International Conference, Madrid, Spain, 27–30 Sept 2004, Proceedings, ed. by D. de Frutos-Escrig, M. Núñez. Lecture Notes in Computer Science, vol. 3235 (Springer, 2004), pp. 359–376. https://doi.org/10.1007/978-3-540-30232-2_23
L. Nishani, M. Biba, Machine learning for intrusion detection in MANET: a state-of-the-art survey. J. Intell. Inf. Syst. 46(2), 391–407 (2016). https://doi.org/10.1007/s10844-015-0387-y
J. Olivain, J. Goubault-Larrecq, The Orchids intrusion detection tool, in Computer Aided Verification, 17th International Conference, CAV 2005, Edinburgh, Scotland, UK, 6–10 July 2005, Proceedings, ed. by K. Etessami, S.K. Rajamani. Lecture Notes in Computer Science, vol. 3576 (Springer, 2005), pp. 286–290. https://doi.org/10.1007/11513988_28
M.S. Parwez, D.B. Rawat, M. Garuba, Big data analytics for user-activity analysis and user-anomaly detection in mobile wireless network. IEEE Trans. Ind. Inf. 13(4), 2058–2065 (2017). https://doi.org/10.1109/TII.2017.2650206
K. Peng, V.C.M. Leung, Q. Huang, Clustering approach based on mini batch Kmeans for intrusion detection system over big data. IEEE Access 6, 11897–11906 (2018). https://doi.org/10.1109/ACCESS.2018.2810267
M. Plourde, S. Hallé, Synthia: a generic and flexible data structure generator, in 44th 2022 IEEE/ACM International Conference on Software Engineering: Companion Proceedings, ICSE Companion 2022, Pittsburgh, PA, USA, 22–24 May 2022 (IEEE, 2022), pp. 207–211. https://doi.org/10.1109/ICSE-Companion55297.2022.9793796
J. Ren, J. Guo, W. Qian, H. Yuan, X. Hao, H. Jingjing, Building an effective intrusion detection system by using hybrid data optimization based on machine learning algorithms. Secur. Commun. Netw. (2019). https://www.scopus.com/inward/record.uri?eid=2-s2.0-85068853458&doi=10.1155%2f2019%2f7130868&partnerID=40&md5=f611d318049034805c5f1c83aefaeba7. Cited by: 48; All Open Access, Gold Open Access, Green Open Access
K. Rina, S. Nath, N. Marchang, A. Taggu, Can clustering be used to detect intrusion during spectrum sensing in cognitive radio networks? IEEE Syst. J. 12(1), 938–947 (2018). https://doi.org/10.1109/JSYST.2016.2584098
A.S. Sadiq, B.Y. Alkazemi, S. Mirjalili, N. Ahmed, S. Khan, I. Ali, A.K. Pathan, K.Z. Ghafoor, An efficient IDS using hybrid magnetic swarm optimization in wanets. IEEE Access 6, 29041–29053 (2018). https://doi.org/10.1109/ACCESS.2018.2835166
F. Sakiz, S. Sen, A survey of attacks and detection mechanisms on intelligent transportation systems: VANETs and IoV. Ad Hoc Netw. 61, 33–50 (2017). https://doi.org/10.1016/j.adhoc.2017.03.006
J.M. Spivey, The Z Notation: A Reference Manual (Prentice Hall, 1989)
L.N. Tidjon, M. Frappier, A. Mammar, Intrusion detection systems: a cross-domain overview. IEEE Commun. Surv. Tutorials 21(4), 3639–3681 (2019). https://doi.org/10.1109/COMST.2019.2922584
L.N. Tidjon, M. Frappier, A. Mammar, Intrusion detection using ASTDs, in Advanced Information Networking and Applications – Proceedings of the 34th International Conference on Advanced Information Networking and Applications, AINA-2020, Caserta, Italy, 15–17 April, ed. by L. Barolli, F. Amato, F. Moscato, T. Enokido, M. Takizawa. Advances in Intelligent Systems and Computing, vol. 1151 (Springer, 2020), pp. 1397–1411. https://doi.org/10.1007/978-3-030-44041-1_118
S. Varvaressos, K. Lavoie, S. Gaboury, S. Hallé, Automated bug finding in video games: a case study for runtime monitoring. Comput. Entertain. 15(1), 1:1–1:28 (2017)
B. Wehbi, E.M. de Oca, M. Bourdellès, Events-based security monitoring using MMT tool, in Fifth IEEE International Conference on Software Testing, Verification and Validation, ICST 2012, Montreal, QC, Canada, 17–21 April 2012, ed. by G. Antoniol, A. Bertolino, Y. Labiche (IEEE Computer Society, 2012), pp. 860–863. https://doi.org/10.1109/ICST.2012.188
A. Woodruff, M. Stonebraker, Supporting fine-grained data lineage in a database visualization environment, in Proc. ICDE, 1997, pp. 91–102. https://doi.org/10.1109/ICDE.1997.581742
G. Xu, Y. Cao, Y. Ren, X. Li, Z. Feng, Network security situation awareness based on semantic ontology and user-defined rules for internet of things. IEEE Access 5, 21046–21056 (2017). https://doi.org/10.1109/ACCESS.2017.2734681
S.C. Yip, K. Wong, W.P. Hew, M.T. Gan, R.C.W. Phan, et S.-W. Tan, Detection of energy theft and defective smart meters in smart grids using linear regression. Int. J. Electr. Power Energy Syst. 91, 230–240 (2017)
J. Zhang, Z. Chu, L. Sankar, O. Kosut, Can attackers with limited information exploit historical data to mount successful false data injection attacks on power systems? IEEE Trans. Power Syst. 33(5), 4775–4786 (2018)
W. Zhu, M. Deng, Q. Zhou, An intrusion detection algorithm for wireless networks based on ASDL. IEEE CAA J. Autom. Sinica 5(1), 92–107 (2018). https://doi.org/10.1109/JAS.2017.7510754
R. Zuech, T.M. Khoshgoftaar, R. Wald, Intrusion detection and big heterogeneous data: a survey. J. Big Data 2, 3 (2015), https://doi.org/10.1186/s40537-015-0013-4
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Hallé, S. (2024). A Stream-Based Approach to Intrusion Detection. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-42212-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42211-9
Online ISBN: 978-3-031-42212-6
eBook Packages: Computer ScienceComputer Science (R0)