From Intrusion Detection to Software Design

  • Sandro Etalle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10492)


I believe the single most important reason why we are so helpless against cyber-attackers is that present systems are not supervisable. This opinion is developed in years spent working on network intrusion detection, both as academic and entrepreneur. I believe we need to start writing software and systems that are supervisable by design; in particular, we should do this for embedded devices. In this paper, I present a personal view on the field of intrusion detection, and conclude with some consideration on software design.



Many, many thanks to those who have given comments to this paper, including: Luca Allodi, Elisa Costante, Marc Dacier, Guillaume Dupont, Davide Fauri, Dieter Gollmann, Alexios Lekidis, Daniel Ricardo dos Santos, Boris Skoric, Nicola Zannone.

This work has been funded by SpySpot, a project under Cyber Security programme by NWO, Dutch Organization for Scientific Research. It was also partly funded by IDEA-ICS project by NWO and U.S. Department of Homeland Security.


  1. 1.
    Debar, H., Dacier, M., Wespi, A.: A revised taxonomy for intrusion-detection systems. Ann. Telecommun. 55(7), 361–378 (2000)Google Scholar
  2. 2.
    Mitchell, R., Chen, I.R.: A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. (CSUR) 46(4), 55 (2014)CrossRefGoogle Scholar
  3. 3.
    Ko, C., Ruschitzka, M., Levitt, K.: Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, 1997, pp. 175–187. IEEE (1997)Google Scholar
  4. 4.
    Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., Zhou, S.: Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 265–274. ACM (2002)Google Scholar
  5. 5.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Technical report, DTIC Document (1998)Google Scholar
  6. 6.
    Siddharth, S.: Evading nids, revisited. Symantec Connect Community, pp. 1–5 (2005)Google Scholar
  7. 7.
    Costante, E., Hartog, J., Petković, M., Etalle, S., Pechenizkiy, M.: Hunting the unknown - white-box database leakage detection. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 243–259. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43936-4_16 Google Scholar
  8. 8.
    Shu, X., Yao, D.D., Ryder, B.G.: A formal framework for program anomaly detection. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 270–292. Springer, Cham (2015). doi: 10.1007/978-3-319-26362-5_13 CrossRefGoogle Scholar
  9. 9.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316. IEEE (2010)Google Scholar
  10. 10.
    Hadžiosmanović, D., Simionato, L., Bolzoni, D., Zambon, E., Etalle, S.: N-Gram against the machine: on the feasibility of the N-Gram network analysis for binary protocols. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 354–373. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33338-5_18 CrossRefGoogle Scholar
  11. 11.
    Fauri, D., de Wijs, B., den Hartog, J., Costante, E., Etalle, S., Zambon, E.: Encryption in ICS networks: a blessing or a curse? Technical report, Eindhoven Technical University (2017 to appear)Google Scholar
  12. 12.
    Viswanathan, M., Kim, M.: Foundations for the run-time monitoring of reactive systems – Fundamentals of the MaC Language. In: Liu, Z., Araki, K. (eds.) ICTAC 2004. LNCS, vol. 3407, pp. 543–556. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-31862-0_38 CrossRefGoogle Scholar
  13. 13.
    Pnueli, A., Zaks, A.: PSL model checking and run-time verification via testers. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006. LNCS, vol. 4085, pp. 573–586. Springer, Heidelberg (2006). doi: 10.1007/11813040_38 CrossRefGoogle Scholar
  14. 14.
    Bittner, B., Bozzano, M., Cimatti, A., Olive, X.: Symbolic synthesis of observability requirements for diagnosability. In: AAAI (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Eindhoven University of Technology, University of Twente and SecurityMatters BVEindhovenThe Netherlands

Personalised recommendations