Model-driven, network-context sensitive intrusion detection

Authors:
Frederic Massicotte;Mathieu Couture;Lionel Briand;Yvan Labiche
Affiliations:
Communication Research Centre, Ottawa, ON, Canada;Communication Research Centre, Ottawa, ON, Canada;Department of Systems and Computer Eng., Carleton University, Ottawa, ON, Canada;Department of Systems and Computer Eng., Carleton University, Ottawa, ON, Canada
Venue:
MODELS'07 Proceedings of the 10th international conference on Model Driven Engineering Languages and Systems
Year:
2007

Citing 10
Cited 1

A high-performance network intrusion detection system

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
On a temporal logic for object-based systems

Fourth International Conference on Formal methods for open object-based distributed systems IV
NetSTAT: A Network-Based Intrusion Detection Approach

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Log Auditing through Model-Checking

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Designing and implementing a family of intrusion detection systems

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Enhancing byte-level network intrusion detection signatures with context

Proceedings of the 10th ACM conference on Computer and communications security
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Automatic Evaluation of Intrusion Detection Systems

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
M2D2: a formal data model for IDS alert correlation

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Network specific false alarm reduction in intrusion detection system

Security and Communication Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

Intrusion Detection Systems (IDSs) have the reputation of generating many false positives. Recent approaches, known as stateful IDSs, take the state of communication sessions into account to address this issue. A substantial reduction of false positives, however, requires some correlation between the state of the session, known vulnerabilities, and the gathering of more network context information by the IDS than what is currently done (e.g., configuration of a node, its operating system, running applications). In this paper we present an IDS approach that attempts to decrease the number of false positives by collecting more network context and combining this information with known vulnerabilities. The approach is model-driven as it relies on the modeling of packet and network information as UML class diagrams, and the definition of intrusion detection rules as OCL expressions constraining these diagrams. The approach is evaluated using real attacks on real systems, and appears to be promising.