From Declarative Signatures to Misuse IDS

Authors:
Jean-Philippe Pouzol;Mireille Ducassé
Affiliations:
-;-
Venue:
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Year:
2001

Citing 8
Cited 3

State Transition Analysis: A Rule-Based Intrusion Detection Approach

IEEE Transactions on Software Engineering
Classification and detection of computer intrusions

Classification and detection of computer intrusions
ADeLe: an attack description language for knowledge-based intrustion detection

Sec '01 Proceedings of the 16th international conference on Information security: Trusted information: the new decade challenge
LAMBDA: A Language to Model a Database for Detection of Attacks

RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
Composite Events for Active Databases: Semantics, Contexts and Detection

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis

ESORICS '92 Proceedings of the Second European Symposium on Research in Computer Security
Experience with EMERALD to Date

Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies

CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations

Formal Specification of Intrusion Signatures and Detection Rules

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Expressive, efficient and obfuscation resilient behavior based IDS

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Proxi-Annotated control flow graphs: deterministic context-sensitive monitoring for intrusion detection

ICDCIT'04 Proceedings of the First international conference on Distributed Computing and Internet Technology

Quantified Score

Hi-index	0.00

Visualization

Abstract

In many existing misuse intrusion detection systems, intrusion signatures are very close to the detection algorithms. As a consequence, they contain too many cumbersome details. Recent work have proposed declarative signature languages that raise the level of abstraction when writing signatures. However, these languages do not always come with operational support. In this article, we show how to transform such declarative signatures into operational ones. This process points out several technical details which must be considered with care when performing the translation by hand, but which can be systematically handled.A signature specification language named Sutekh is proposed. Its declarative semantics is precisely described. To produce rules for existing rule-based IDS from Sutekh signatures, an algorithm, based on the construction of a state-transition diagram, is given.