Abstract
In this paper, we show the application of ASTDs to intrusion detection. ASTD is an executable, modular and graphical notation that allows for the composition of hierarchical state machines with process algebra operators to model complex attack phases. Overall, ASTD attack specifications are more concise than industrial tools like Snort, Zeek, and other attack languages in the literature. For intrusion detection, iASTD (the ASTD interpreter) and Zeek provided similar results. iASTD produced less false positives and a smaller number of true positives per attack than Snort, which is an important factor to deal with huge amounts of events. The processing time of iASTD on the real-time testbed is slower than Snort and Zeek, but it can be improved by compiling ASTD specifications into Zeek scripts.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The tools are available at https://depot.gril.usherbrooke.ca/fram1801/iASTD-public.
- 2.
The translation rules and the compiler are available at https://depot.gril.usherbrooke.ca/lionel-tidjon/castd.
References
Tidjon, L.N., Frappier, M., Mammar, A.: Intrusion detection systems: a cross-domain overview. IEEE Commun. Surv. Tutor. 21(4), 3639–3681 (2019). https://doi.org/10.1109/COMST.2019.2922584
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, ser. LISA 1999, pp. 229–238. USENIX Association, Berkeley (1999)
Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, ser. SSYM 1998, p. 3. USENIX Association, Berkeley (1998)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: Statl: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1–2), 71–103 (2002)
Cuppens, F., Ortalo, R.: Lambda: a language to model a database for detection of attacks. In: Recent Advances in Intrusion Detection, pp. 197–216. Springer, Heidelberg (2000)
Morin, B., Debar, H.: Correlation of intrusion symptoms: an application of chronicles. In: Recent Advances in Intrusion Detection, pp. 94–112. Springer, Heidelberg (2003)
Barringer, H., Falcone, Y., Havelund, K., Reger, G., Rydeheard, D.: Quantified event automata: towards expressive and efficient runtime monitors. In: FM, Formal Methods, pp. 68–84. Springer, Heidelberg (2012)
Frappier, M., Gervais, F., Laleau, R., Fraikin, B., St-Denis, R.: Extending statecharts with process algebra operators. Innov. Syst. Soft. Eng. 4(3), 285–292 (2008)
Tidjon, L.N., Frappier, M., Leuschel, M., Mammar, A.: Extended algebraic state-transition diagrams. In: 2018 23rd International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 146–155, December 2018
Corporation, T.M.: Common attack pattern enumeration and classification (capec), Technical report (2013). http://makingsecuritymeasurable.mitre.org/docs/capec-intro-handout.pdf
Strom, B.E., Battaglia, J.A., Kemmerer, M.S., Kupersanin, W., Miller, D.P., Wampler, C., Whitley, S.M., Wolf, R.D.: Finding cyber threats with ATT&CK-based analytics, Technical report (2017). https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf
iASTD repository: Universite de sherbrooke (2019). https://depot.gril.usherbrooke.ca/fram1801/ iASTD-public
Fraikin, B., Frappier, M.: Efficient symbolic computation of process expressions. Sci. Comput. Program. 74(9), 723–753 (2009). Special Issue on the Fifth International Workshop on Foundations of Coordination Languages and Software Architectures (FOCLASA’06)
Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal, 22–24 January 2018, pp. 108–116 (2018)
Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)
Acknowledgements
This work was supported in part by NSERC (Natural Sciences and Engineering Research Council of Canada). We thank Felix Vigneault and Jonathan Martineau for their contribution to the development of the iASTD tool. We thank Nokia Canada and CSE (Communications Security Establishment) of Canada for their support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Tidjon, L.N., Frappier, M., Mammar, A. (2020). Intrusion Detection Using ASTDs. In: Barolli, L., Amato, F., Moscato, F., Enokido, T., Takizawa, M. (eds) Advanced Information Networking and Applications. AINA 2020. Advances in Intelligent Systems and Computing, vol 1151. Springer, Cham. https://doi.org/10.1007/978-3-030-44041-1_118
Download citation
DOI: https://doi.org/10.1007/978-3-030-44041-1_118
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44040-4
Online ISBN: 978-3-030-44041-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)