Panoptis: intrusion detection using a domain-specific language

Authors:
Diomidis Spinellis;Dimitris Gritzalis
Affiliations:
Department of Technology and Management, Athens University of Economics and Business, GR10434 Athens, Greece;Department of Informatics, Athens University of Economics and Business, GR10434 Athens, Greece
Venue:
Journal of Computer Security
Year:
2002

Citing 13
Cited 0

Computers under attack: intruders, worms, and viruses

Computers under attack: intruders, worms, and viruses
Programming perl

Programming perl
A survey of intrusion detection techniques

Computers and Security
Software design for reliability and reuse: a proof-of-concept demonstration

TRI-Ada '94 Proceedings of the conference on TRI-Ada '94
A high-performance network intrusion detection system

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Cryptography and data security

Cryptography and data security
Implementing a Generalized Tool for Network Monitoring

LISA '97 Proceedings of the 11th Conference on Systems Administration
ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis

ESORICS '92 Proceedings of the Second European Symposium on Research in Computer Security
NetSTAT: A Network-Based Intrusion Detection Approach

ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Execution monitoring of security-critical programs in distributed systems: a Specification-based approach

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Synthesizing fast intrusion prevention/detection systems from high-level specifications

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Lightweight languages as software engineering tools

DSL'97 Proceedings of the Conference on Domain-Specific Languages on Conference on Domain-Specific Languages (DSL), 1997

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe the use of a domain-specific language (DSL) for expressing critical design values and constraints in an intrusion detection application. Through the use of this specialised language, information that is critical to the correct operation of the software can be expressed in a form that can be easily drafted, verified, and maintained by domain experts (security officers), thus minimising the risk inherent from the mediation of software engineers. Our application, Panoptis, is a DSL-based low-cost, easy-to-use intrusion detection system using the process accounting records kept by most Unix systems. A set of database tables contain resource usage profiles for processes, terminals, users, and time intervals. Panoptis monitors new process data against the recorded profiles and reports on entities diverging from the established resource usage envelopes implying possible data security threats. We demonstrate the operation of Panoptis by a case study of a real attack and subsequent system compromise that occured on a system under our administrative control.