Skip to main content
SpringerLink
Log in

A Stream-Based Approach to Intrusion Detection

  • Chapter
  • First Online:
CyberSecurity in a DevOps Environment

  • 264 Accesses

Abstract

Integrating security in the development and operation of information systems is the cornerstone of SecDevOps. From an operational perspective, one of the key activities for achieving such an integration is the detection of incidents (such as intrusions), especially in an automated manner. However, one of the stumbling blocks of an automated approach to intrusion detection is the management of the large volume of information typically produced by this type of solution. Existing works on the topic have concentrated on the reduction of volume by increasing the precision of the detection approach, thus lowering the rate of false alarms. However, another less explored possibility is to reduce the volume of evidence gathered for each alarm raised. This chapter explores the concept of intrusion detection from the angle of complex event processing. It provides a formalization of the notion of pattern matching in a sequence of events produced by an arbitrary system, by framing the task as a runtime monitoring problem. It then focuses on the topic of incident reporting and proposes a technique to automatically extract relevant elements of a stream that explain the occurrence of an intrusion. These relevant elements generally amount to a small fraction of all the data ingested for an alarm to be triggered and thus help reduce the volume of evidence that needs to be examined by manual means. The approach is experimentally evaluated on a proof-of-concept implementation of these principles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The term “stateless” may seem odd since \(\iota _\pi \) actually has one state; however, this means that the output of \(\pi \) does not depend on its internal state, precisely since it is always in the same state.

  2. 2.

    As a matter of fact, neither of these three elements could be taken out without violating the condition for a state function. In particular, knowledge of \(\lvert {\overline {\sigma }} \rvert _a\) and \(\lvert {\overline {\sigma }} \rvert _b\) is not sufficient to determine the monitor’s verdict, as the order in which the symbols occur may or may not result in a prefix of \({\overline {\sigma }}\) satisfying the condition.

  3. 3.

    This worst case is arguably contrived, as it would require each successive event of the stream to place the corresponding new monitor instance in a different state as that of all previous monitors.

  4. 4.

    Note that the function produces exactly one output front for each input front; thus, it cannot insert or delete events like some other processors.

  5. 5.

    We remind that because of the presence of box #1, the pipeline only produces one output event for each two input events.

  6. 6.

    https://github.com/liflab/pattern-detection-lab

References

  1. Snort: Network intrusion detection and prevention. https://www.snort.org. Accessed 28 Sept 2022

  2. The Zeek network security monitor. https://zeek.org. Accessed 28 Sept 2022

  3. J.R. Abrial, The B-Book: Assigning Programs to Meanings (Cambridge University Press, 2005)

    Google Scholar 

  4. U. Adhikari, T.H. Morris, S. Pan, Applying non-nested generalized exemplars classification for cyber-power event and intrusion detection. IEEE Trans. Smart Grid 9(5), 3928–3941 (2018). https://doi.org/10.1109/TSG.2016.2642787

    Article  Google Scholar 

  5. A. Ahmed, A. Lisitsa, C. Dixon, A misuse-based network intrusion detection system using temporal logic and stream processing, in 5th International Conference on Network and System Security, NSS 2011, Milan, Italy, 6–8 Sept 2011, ed. by P. Samarati, S. Foresti, J. Hu, G. Livraga (IEEE, 2011), pp. 1–8. https://doi.org/10.1109/ICNSS.2011.6059953

  6. M.A. Albahar, Recurrent neural network model based on a new regularization technique for real-time intrusion detection in SDN environments. Secur. Commun. Netw. (2019). https://www.scopus.com/inward/record.uri?eid=2-s2.0-85076009173&doi=10.1155%2f2019%2f8939041&partnerID=40&md5=7a20449e6b871b80dedcded928a20e01.

    Google Scholar 

  7. G.E. Andrews, Number Theory (Dover, 1994)

    Google Scholar 

  8. H. Barringer, Y. Falcone, K. Havelund, G. Reger, D.E. Rydeheard, Quantified event automata: towards expressive and efficient runtime monitors, in FM, ed. by D. Giannakopoulou, D. Méry. Lecture Notes in Computer Science, vol. 7436 (Springer, 2012), pp. 68–84

    Google Scholar 

  9. E. Bartocci, Y. Falcone, A. Francalanza, G. Reger, Introduction to runtime verification, in Lectures on Runtime Verification – Introductory and Advanced Topics, ed. by E. Bartocci, Y. Falcone. Lecture Notes in Computer Science, vol. 10457 (Springer, 2018), pp. 1–33. https://doi.org/10.1007/978-3-319-75632-5_1

  10. A. Bédard, S. Hallé, Model checking of stream processing pipelines, in 28th International Symposium on Temporal Representation and Reasoning, TIME 2021, 27–29 Sept 2021, Klagenfurt, Austria, ed. by C. Combi, J. Eder, M. Reynolds. LIPIcs, vol. 206, pp. 5:1–5:17. Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2021). https://doi.org/10.4230/LIPIcs.TIME.2021.5

  11. Q. Betti, R. Khoury, S. Hallé, B. Montreuil, Improving hyperconnected logistics with blockchains and smart contracts. IT Prof. 21(4), 25–32 (2019)

    Article  Google Scholar 

  12. M.R. Boussaha, R. Khoury, S. Hallé, Monitoring of security properties using BeepBeep, in FPS, ed. by A. Imine, J.M. Fernandez, J. Marion, L. Logrippo, J. García-Alfaro. Lecture Notes in Computer Science, vol. 10723 (Springer, 2017), pp. 160–169

    Google Scholar 

  13. K. Bu, M. Xu, X. Liu, J. Luo, S. Zhang, M. Weng, Deterministic detection of cloning attacks for anonymous RFID systems. IEEE Trans. Ind. Inf. 11(6), 1255–1266 (2015). https://doi.org/10.1109/TII.2015.2482921

    Article  Google Scholar 

  14. E. Börger, Abstract State Machines: A Method for High-Level System Design and Analysis (Springer, 2003)

    Google Scholar 

  15. H. Chen, Y. Fu, Z. Yan, Survey on big data analysis algorithms for network security measurement, in Network and System Security – 11th International Conference, NSS 2017, Helsinki, Finland, 21–23 Aug 2017, Proceedings, ed. by Z. Yan, R. Molva, W. Mazurczyk, R. Kantola. Lecture Notes in Computer Science, vol. 10394 (Springer, 2017), pp. 128–142. https://doi.org/10.1007/978-3-319-64701-2_10

  16. Computer Emergency Response Team: TCP SYN flooding and IP spoofing attacks. Tech. Rep. CERT Advisory CA-1996-21, Cybersecurity & Infrastructure Security Agency (1996)

    Google Scholar 

  17. B. D’Angelo, S. Sankaranarayanan, C. Sánchez, W. Robinson, B. Finkbeiner, H.B. Sipma, S. Mehrotra, Z. Manna, LOLA: runtime monitoring of synchronous systems, in 12th International Symposium on Temporal Representation and Reasoning (TIME 2005), 23–25 June 2005, Burlington, Vermont, USA (IEEE Computer Society, 2005), pp. 166–174

    Google Scholar 

  18. M. Devarajan, L. Ravi, S. Vairavasundaram, V. Varadharajan, A.K. Sangaiah, Hybrid reasoning-based privacy-aware disease prediction support system. Comput. Electr. Eng. 73, 114–127 (2019). https://doi.org/10.1016/j.compeleceng.2018.11.009

    Article  Google Scholar 

  19. V.L. Do, L. Fillatre, I. Nikiforov, P. Willett, Feature article: security of SCADA systems against cyber-physical attacks. IEEE Aerosp. Electron. Syst. Mag. 32(5), 28–45 (2017)

    Article  Google Scholar 

  20. P. Faymonville, B. Finkbeiner, S. Schirmer, H. Torfah, A stream-based specification language for network monitoring, in Runtime Verification – 16th International Conference, RV 2016, Madrid, Spain, 23–30 Sept 2016, Proceedings, Y. Falcone, C. Sánchez. Lecture Notes in Computer Science, vol. 10012 (Springer, 2016), pp. 152–168. https://doi.org/10.1007/978-3-319-46982-9_10

  21. C.J. Fung, Q. Zhu, FACID: a trust-based collaborative decision framework for intrusion detection networks. Ad Hoc Netw. 53, 17–31 (2016). https://doi.org/10.1016/j.adhoc.2016.08.014

    Article  Google Scholar 

  22. J. Goubault-Larrecq, J. Olivain, A smell of Orchids, in Runtime Verification, 8th International Workshop, RV 2008, Budapest, Hungary, 30 March 2008. Selected Papers, ed. by M. Leucker. Lecture Notes in Computer Science, vol. 5289 (Springer, 2008), pp. 1–20. https://doi.org/10.1007/978-3-540-89247-2_1

  23. R.A. Grimes, Danger: Remote access Trojans. Security Administrator (2002). https://technet.microsoft.com/en-us/library/dd632947.aspx. Accessed 29 Sept 2022

  24. S. Hallé, Explainable queries over event logs, in 24th IEEE International Enterprise Distributed Object Computing Conference, EDOC 2020, Eindhoven, The Netherlands, 5–8 Oct 2020 (IEEE, 2020), pp. 171–180. https://doi.org/10.1109/EDOC49727.2020.00029

  25. S. Hallé, S. Gaboury, B. Bouchard, Activity recognition through complex event processing: first findings, in Artificial Intelligence Applied to Assistive Technologies and Smart Environments, Papers from the 2016 AAAI Workshop, Phoenix, Arizona, USA, 12 Feb 2016, ed. by B. Bouchard, S. Giroux, A. Bouzouane, S. Gaboury. AAAI Workshops, vol. WS-16-01 (AAAI Press, 2016)

    Google Scholar 

  26. S. Hallé, R. Khoury, Writing domain-specific languages for BeepBeep. In: C. Colombo, Leucker, M. (eds.) RV. Lecture Notes in Computer Science, vol. 11237, pp. 447–457. Springer (2018)

    Google Scholar 

  27. S. Hallé, R. Khoury, M. Awesso, Streamlining the inclusion of computer experiments in a research paper. Computer 51(11), 78–89 (2018)

    Article  Google Scholar 

  28. S. Hallé, H. Tremblay, Foundations of fine-grained explainability, in Computer Aided Verification – 33rd International Conference, CAV 2021, Virtual Event, July 20–23, 2021, Proceedings, Part II, ed. by A. Silva, K.R.M. Leino. Lecture Notes in Computer Science, vol. 12760 (Springer, 2021), pp. 500–523. https://doi.org/10.1007/978-3-030-81688-9_24

  29. S. Hallé, R. Villemaire, Runtime enforcement of web service message contracts with data. IEEE Trans. Serv. Comput. 5(2), 192–206 (2012)

    Article  Google Scholar 

  30. S. Hallé, Event Stream Processing with BeepBeep 3: Log Crunching and Analysis Made Easy. Presses de l’Université du Québec (2018)

    Google Scholar 

  31. S. Iqbal, M.L.M. Kiah, B. Dhaghighi, M. Hussain, S. Khan, M.K. Khan, K.R. Choo, On cloud security attacks: a taxonomy and intrusion detection and prevention as a service. J. Netw. Comput. Appl. 74, 98–120 (2016). https://doi.org/10.1016/j.jnca.2016.08.016

    Article  Google Scholar 

  32. A. Kassem, Y. Falcone, Detecting fault injection attacks with runtime verification, in Proceedings of the 3rd ACM Workshop on Software Protection, SPRO@CCS 2019, ed. by P. Falcarin, M. Zunke, London, Uk, 15 Nov 2019 (ACM, 2019), pp. 65–76. https://doi.org/10.1145/3338503.3357724

  33. R. Khoury, S. Hallé, O. Waldmann, Execution trace analysis using LTL-FOˆ+, in Leveraging Applications of Formal Methods, Verification and Validation: Discussion, Dissemination, Applications – 7th International Symposium, ISoLA 2016, Imperial, Corfu, Greece, 10–14 Oct 2016, Proceedings, Part II, ed. by T. Margaria, B. Steffen. Lecture Notes in Computer Science, vol. 9953 (2016), pp. 356–362. https://doi.org/10.1007/978-3-319-47169-3_26

  34. C. Kolias, G. Kambourakis, A. Stavrou, S. Gritzalis, Intrusion detection in 802.11 networks: empirical evaluation of threats and a public dataset. IEEE Commun. Surv. Tutorials 18(1), 184–208 (2016). https://doi.org/10.1109/COMST.2015.2402161

  35. T.R.B. Kushal, K. Lai, M.S. Illindala, Risk-based mitigation of load curtailment cyber attack using intelligent agents in a shipboard power system. IEEE Trans. Smart Grid 10(5), 4741–4750 (2019). https://doi.org/10.1109/TSG.2018.2867809

    Article  Google Scholar 

  36. D. Kwon, H. Kim, D. An, H. Ju, DDoS attack volume forecasting using a statistical approach, in 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), Lisbon, Portugal, 8–12 May 2017 (IEEE, 2017), pp. 1083–1086. https://doi.org/10.23919/INM.2017.7987432

  37. W. Li, W. Meng, L. Kwok, H.H. Ip, Enhancing collaborative intrusion detection networks against insider attacks using supervised intrusion sensitivity-based trust management model. J. Netw. Comput. Appl. 77, 135–145 (2017). https://doi.org/10.1016/j.jnca.2016.09.014

    Article  Google Scholar 

  38. G. Liang, J. Zhao, F. Luo, S.R. Weller, Z.Y. Dong, A review of false data injection attacks against modern power systems. IEEE Trans. Smart Grid 8(4), 1630–1638 (2017). https://doi.org/10.1109/TSG.2015.2495133

    Article  Google Scholar 

  39. G. Logeswari, S. Bose, T. Anitha, An intrusion detection system for SDN using machine learning. Intell. Autom. Soft Comput. 35(1), 867–880 (2023). https://www.scopus.com/inward/record.uri?eid=2-s2.0-85132133653&doi=10.32604%2fiasc.2023.026769&partnerID=40&md5=e0907be624a0048eda2192a876e4808e. Cited by: 0; All Open Access, Hybrid Gold Open Access

    Google Scholar 

  40. P. Mishra, E.S. Pilli, V. Varadharajan, U.K. Tupakula, Intrusion detection techniques in cloud environment: a survey. J. Netw. Comput. Appl. 77, 18–47 (2017). https://doi.org/10.1016/j.jnca.2016.10.015

    Article  Google Scholar 

  41. R. Mitchell, I. Chen, Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE Trans. Dependable Secur. Comput. 12(1), 16–30 (2015), https://doi.org/10.1109/TDSC.2014.2312327

    Article  Google Scholar 

  42. P. Moosbrugger, K.Y. Rozier, J. Schumann, R2U2: monitoring and diagnosis of security threats for unmanned aerial systems. Formal Methods Syst. Des. 51(1), 31–61 (2017). https://doi.org/10.1007/s10703-017-0275-x

    Article  Google Scholar 

  43. P. Naldurg, K. Sen, P. Thati, A temporal logic based framework for intrusion detection, in Formal Techniques for Networked and Distributed Systems – FORTE 2004, 24th IFIP WG 6.1 International Conference, Madrid, Spain, 27–30 Sept 2004, Proceedings, ed. by D. de Frutos-Escrig, M. Núñez. Lecture Notes in Computer Science, vol. 3235 (Springer, 2004), pp. 359–376. https://doi.org/10.1007/978-3-540-30232-2_23

  44. L. Nishani, M. Biba, Machine learning for intrusion detection in MANET: a state-of-the-art survey. J. Intell. Inf. Syst. 46(2), 391–407 (2016). https://doi.org/10.1007/s10844-015-0387-y

    Article  Google Scholar 

  45. J. Olivain, J. Goubault-Larrecq, The Orchids intrusion detection tool, in Computer Aided Verification, 17th International Conference, CAV 2005, Edinburgh, Scotland, UK, 6–10 July 2005, Proceedings, ed. by K. Etessami, S.K. Rajamani. Lecture Notes in Computer Science, vol. 3576 (Springer, 2005), pp. 286–290. https://doi.org/10.1007/11513988_28

  46. M.S. Parwez, D.B. Rawat, M. Garuba, Big data analytics for user-activity analysis and user-anomaly detection in mobile wireless network. IEEE Trans. Ind. Inf. 13(4), 2058–2065 (2017). https://doi.org/10.1109/TII.2017.2650206

    Article  Google Scholar 

  47. K. Peng, V.C.M. Leung, Q. Huang, Clustering approach based on mini batch Kmeans for intrusion detection system over big data. IEEE Access 6, 11897–11906 (2018). https://doi.org/10.1109/ACCESS.2018.2810267

    Article  Google Scholar 

  48. M. Plourde, S. Hallé, Synthia: a generic and flexible data structure generator, in 44th 2022 IEEE/ACM International Conference on Software Engineering: Companion Proceedings, ICSE Companion 2022, Pittsburgh, PA, USA, 22–24 May 2022 (IEEE, 2022), pp. 207–211. https://doi.org/10.1109/ICSE-Companion55297.2022.9793796

  49. J. Ren, J. Guo, W. Qian, H. Yuan, X. Hao, H. Jingjing, Building an effective intrusion detection system by using hybrid data optimization based on machine learning algorithms. Secur. Commun. Netw. (2019). https://www.scopus.com/inward/record.uri?eid=2-s2.0-85068853458&doi=10.1155%2f2019%2f7130868&partnerID=40&md5=f611d318049034805c5f1c83aefaeba7. Cited by: 48; All Open Access, Gold Open Access, Green Open Access

    Google Scholar 

  50. K. Rina, S. Nath, N. Marchang, A. Taggu, Can clustering be used to detect intrusion during spectrum sensing in cognitive radio networks? IEEE Syst. J. 12(1), 938–947 (2018). https://doi.org/10.1109/JSYST.2016.2584098

    Article  Google Scholar 

  51. A.S. Sadiq, B.Y. Alkazemi, S. Mirjalili, N. Ahmed, S. Khan, I. Ali, A.K. Pathan, K.Z. Ghafoor, An efficient IDS using hybrid magnetic swarm optimization in wanets. IEEE Access 6, 29041–29053 (2018). https://doi.org/10.1109/ACCESS.2018.2835166

    Article  Google Scholar 

  52. F. Sakiz, S. Sen, A survey of attacks and detection mechanisms on intelligent transportation systems: VANETs and IoV. Ad Hoc Netw. 61, 33–50 (2017). https://doi.org/10.1016/j.adhoc.2017.03.006

    Article  Google Scholar 

  53. J.M. Spivey, The Z Notation: A Reference Manual (Prentice Hall, 1989)

    Google Scholar 

  54. L.N. Tidjon, M. Frappier, A. Mammar, Intrusion detection systems: a cross-domain overview. IEEE Commun. Surv. Tutorials 21(4), 3639–3681 (2019). https://doi.org/10.1109/COMST.2019.2922584

    Article  Google Scholar 

  55. L.N. Tidjon, M. Frappier, A. Mammar, Intrusion detection using ASTDs, in Advanced Information Networking and Applications – Proceedings of the 34th International Conference on Advanced Information Networking and Applications, AINA-2020, Caserta, Italy, 15–17 April, ed. by L. Barolli, F. Amato, F. Moscato, T. Enokido, M. Takizawa. Advances in Intelligent Systems and Computing, vol. 1151 (Springer, 2020), pp. 1397–1411. https://doi.org/10.1007/978-3-030-44041-1_118

  56. S. Varvaressos, K. Lavoie, S. Gaboury, S. Hallé, Automated bug finding in video games: a case study for runtime monitoring. Comput. Entertain. 15(1), 1:1–1:28 (2017)

    Google Scholar 

  57. B. Wehbi, E.M. de Oca, M. Bourdellès, Events-based security monitoring using MMT tool, in Fifth IEEE International Conference on Software Testing, Verification and Validation, ICST 2012, Montreal, QC, Canada, 17–21 April 2012, ed. by G. Antoniol, A. Bertolino, Y. Labiche (IEEE Computer Society, 2012), pp. 860–863. https://doi.org/10.1109/ICST.2012.188

  58. A. Woodruff, M. Stonebraker, Supporting fine-grained data lineage in a database visualization environment, in Proc. ICDE, 1997, pp. 91–102. https://doi.org/10.1109/ICDE.1997.581742

  59. G. Xu, Y. Cao, Y. Ren, X. Li, Z. Feng, Network security situation awareness based on semantic ontology and user-defined rules for internet of things. IEEE Access 5, 21046–21056 (2017). https://doi.org/10.1109/ACCESS.2017.2734681

    Article  Google Scholar 

  60. S.C. Yip, K. Wong, W.P. Hew, M.T. Gan, R.C.W. Phan, et S.-W. Tan, Detection of energy theft and defective smart meters in smart grids using linear regression. Int. J. Electr. Power Energy Syst. 91, 230–240 (2017)

    Article  Google Scholar 

  61. J. Zhang, Z. Chu, L. Sankar, O. Kosut, Can attackers with limited information exploit historical data to mount successful false data injection attacks on power systems? IEEE Trans. Power Syst. 33(5), 4775–4786 (2018)

    Article  Google Scholar 

  62. W. Zhu, M. Deng, Q. Zhou, An intrusion detection algorithm for wireless networks based on ASDL. IEEE CAA J. Autom. Sinica 5(1), 92–107 (2018). https://doi.org/10.1109/JAS.2017.7510754

    Article  MathSciNet  Google Scholar 

  63. R. Zuech, T.M. Khoshgoftaar, R. Wald, Intrusion detection and big heterogeneous data: a survey. J. Big Data 2, 3 (2015), https://doi.org/10.1186/s40537-015-0013-4

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Laboratoire d’informatique formelle, Université du Québec à Chicoutimi, Chicoutimi, QC, Canada

    Sylvain Hallé

Authors
  1. Sylvain Hallé
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sylvain Hallé .

Editor information

Editors and Affiliations

  1. SOFTEAM, Ivry-sur-Seine, France

    Andrey Sadovykh

  2. Information Technologies, Åbo Akademi University, Turku, Finland

    Dragos Truscan

  3. Montimage, Paris, France

    Wissam Mallouli

  4. Montimage, Paris, France

    Ana Rosa Cavalli

  5. Mälardalen University, Västerås, Sweden

    Cristina Seceleanu

  6. SOFTEAM, Ivry-sur-Seine, France

    Alessandra Bagnato

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Hallé, S. (2024). A Stream-Based Approach to Intrusion Detection. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-42212-6_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-42211-9

  • Online ISBN: 978-3-031-42212-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation