Abstract
Misuse Detection systems identify evidence of attacks by searching for patterns of known attacks (signatures). A main problem in this context is the modeling and specification of attack signatures. A couple of languages are proposed in the literature, which differ in the aspects of signatures that can be described. Some aspects that can be specified in one language cannot be expressed in another. In this paper we present a model for the semantics of attack signatures that systematically enumerates the different aspects that characterize attack signatures. The presented model represents a kind of a checklist for the development of a signature specification language or for the comparison of existing signature specification languages.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Eckmann, St. T.; Vigna, G.; Kemmerer, R. A.: STATL: an Attack Language for Statebased Intrusion Detection. In: Proc. of the ACM Workshop on Intrusion Detection, Athens, Greece (November 2000)
Michel, C., Me, L.: ADeLe: an Attack Description Language for Knowledge-based Intrusion Detection, in Proc. of the Internat. In: Conference on Information Security, June 2001, Kluwer Academic Publishers, Dordrecht (2001)
Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)
Pouzol, J.-P., Ducassé, M.: From Declarative Signatures to Misuse IDS. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 1–21. Springer, Heidelberg (2001)
Meier, M., Bischof, N., Holz, T.: SHEDEL - A Simple Hierarchical Event Description Language for Specifying Attack Signatures. In: Proc. of the 17th International Conference on Information Security, pp. 559–571. Kluwer Academic Publishers, Dordrecht (2002)
Zimmer, D.: A Meta-Model for the Definition of the Semantics of Complex Events in Active Database Management Systems (in German). PhD Thesis, University of Paderborn, Shaker-Verlag, ISBN: 3-8265-3744-0 (1998)
Zimmer, D., Unland, R.: On the Semantics of Complex Events in Active Database Management Systems. In: Proc. of the 15th International Conference on Data Engineering, pp. 392–399. IEEE Computer Society Press, Los Alamitos (1999)
Vigna, G., Eckmann, S.T., Kemmerer, R.A.: Attack Languages, in: Proc. of the IEEE Information Survivability Workshop, Boston, MA (October 2000)
Kumar, S.: Classification and Detection of Computer Intrusions, PhD Thesis, Purdue University (1995)
Dayal, U., Buchmann, A., Chakravarthy, S.: The HiPAC Project. In: Active Database Systems, pp. 1–55860. Morgan Kaufmann, San Francisco (1996) ISBN: 1-55860-304-2
Chakravarthy, S., Krishnaprasad, V., Anwar, E., Kim, S.: Composite Events for Active Databases: Semantics, Contexts and Detection. In: Proc. of the 20th International Conference on Very Large Databases, pp. 606–617 (1994)
Collet, C., Coupaye, T.: Composite Events in NAOS. In: Proc. of the seventh International Conference on Database and Expert Systems Applications, pp. 475–481 (1996)
Berndtsson, M.: ACCOD: An approach to an Active Object-Oriented DBMS. Master thesis, University of Skövde (1991)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Meier, M. (2004). A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds) Information Security. ISC 2004. Lecture Notes in Computer Science, vol 3225. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30144-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-540-30144-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23208-7
Online ISBN: 978-3-540-30144-8
eBook Packages: Springer Book Archive