State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
Classification and detection of computer intrusions
Classification and detection of computer intrusions
Testing and evaluating computer intrusion detection systems
Communications of the ACM
A high-performance network intrusion detection system
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
NetSTAT: a network-based intrusion detection system
Journal of Computer Security
Implementing a Generalized Tool for Network Monitoring
LISA '97 Proceedings of the 11th Conference on Systems Administration
NetSTAT: A Network-Based Intrusion Detection Approach
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Detecting Anomalous and Unknown Intrusions Against Programs
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
USTAT: A Real-Time Intrusion Detection System for UNIX
SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Internet security and intrusion detection
Proceedings of the 25th International Conference on Software Engineering
Designing and implementing a family of intrusion detection systems
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Using DAML+OIL to classify intrusive behaviours
The Knowledge Engineering Review
Techniques and tools for analyzing intrusion alerts
ACM Transactions on Information and System Security (TISSEC)
Representation and analysis of coordinated attacks
Proceedings of the 2003 ACM workshop on Formal methods in security engineering
The Kerf Toolkit for Intrusion Analysis
IEEE Security and Privacy
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing
Hypothesizing and reasoning about attacks missed by intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
LAD: Localization Anomaly Detection forWireless Sensor Networks
IPDPS '05 Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Papers - Volume 01
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
Modeling network intrusion detection alerts for correlation
ACM Transactions on Information and System Security (TISSEC)
Attack profiles to derive data observations, features, and characteristics of cyber attacks
Information-Knowledge-Systems Management
Detecting malicious java code using virtual machine auditing
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Reconstructing system state for intrusion analysis
ACM SIGOPS Operating Systems Review
Enforcing security properties in task-based systems
Proceedings of the 13th ACM symposium on Access control models and technologies
Two alternatives for handling preferences in qualitative choice logic
Fuzzy Sets and Systems
Intrusion Detection as Passive Testing: Linguistic Support with TTCN-3 (Extended Abstract)
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Automata-Theoretic Analysis of Bit-Split Languages for Packet Scanning
CIAA '08 Proceedings of the 13th international conference on Implementation and Applications of Automata
Distributed Intrusion Detection Systems for Enhancing Security in Mobile Wireless Sensor Networks
International Journal of Distributed Sensor Networks - Advances on Heterogeneous Wireless Sensor Networks
Network security simulation and evaluation
CSTST '08 Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology
Fast Signature Matching Using Extended Finite Automaton (XFA)
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Bridging the gap: software specification meets intrusion detector
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Identifying Modeling Errors in Signatures by Model Checking
Proceedings of the 16th International SPIN Workshop on Model Checking Software
Real-time alert correlation using stream data mining techniques
IAAI'08 Proceedings of the 20th national conference on Innovative applications of artificial intelligence - Volume 3
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
A notation and representation for describing and evolving correlation patterns
ASC '07 Proceedings of The Eleventh IASTED International Conference on Artificial Intelligence and Soft Computing
Multilevel event correlation based on collaboration and temporal causal correlation
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
A distributed monitoring system for enhancing security and dependability at architectural level
Architecting dependable systems IV
Algebra for capability based attack correlation
WISTP'08 Proceedings of the 2nd IFIP WG 11.2 international conference on Information security theory and practices: smart devices, convergence and next generation networks
Enhancing Java security with history based access control
Foundations of security analysis and design IV
An ontology-based intrusion alerts correlation system
Expert Systems with Applications: An International Journal
An online adaptive approach to alert correlation
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Network intrusion detection: dead or alive?
Proceedings of the 26th Annual Computer Security Applications Conference
Building components with embedded security monitors
Proceedings of the joint ACM SIGSOFT conference -- QoSA and ACM SIGSOFT symposium -- ISARCS on Quality of software architectures -- QoSA and architecting critical systems -- ISARCS
SLA-based complementary approach for network intrusion detection
Computer Communications
Detecting, validating and characterizing computer infections in the wild
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Detecting unknown network attacks using language models
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
A distributed intrusion detection approach for secure software architecture
EWSA'05 Proceedings of the 2nd European conference on Software Architecture
Improving the efficiency of misuse detection
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Multi-layer episode filtering for the multi-step attack detection
Computer Communications
Alert correlation using artificial immune recognition system
International Journal of Bio-Inspired Computation
A stateful approach to generate synthetic events from Kernel traces
Advances in Software Engineering
Survey A model-based survey of alert correlation techniques
Computer Networks: The International Journal of Computer and Telecommunications Networking
Proceedings of the 2013 Research in Adaptive and Convergent Systems
CoBAn: A context based model for data leakage prevention
Information Sciences: an International Journal
| Hi-index | 0.00 |
STATL is an extensible state/transition-based attack description language designed to support intrusion detection. The language allows one to describe computer penetrations as sequences of actions that an attacker performs to compromise a computer system. A STATL description of an attack scenario can be used by an intrusion detection system to analyze a stream of events and detect possible ongoing intrusions. Since intrusion detection is performed in different domains (i.e., the network or the hosts) and in different operating environments (e.g., Linux, Solaris, or Windows NT), it is useful to have an extensible language that can be easily tailored to different target environments. STATL defines domain-independent features of attack scenarios and provides constructs for extending the language to describe attacks in particular domains and environments. The STATL language has been successfully used in describing both network-based and host-based attacks, and it has been tailored to very different environments, e.g., Sun Microsystems' Solaris and Microsoft's Windows NT. An implementation of the runtime support for the STATL language has been developed and a toolset of intrusion detection systems based on STATL has been implemented. The toolset was used in a recent intrusion detection evaluation effort, delivering very favorable results. This paper presents the details of the STATL syntax and its semantics. Real examples from both the host and network-based extensions of the language are also presented.