Parsing of context-free languages
Handbook of formal languages, vol. 2
From Declarative Signatures to Misuse IDS
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Experiences with Specification-Based Intrusion Detection
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Composite Events for Active Databases: Semantics, Contexts and Detection
VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis
ESORICS '92 Proceedings of the Second European Symposium on Research in Computer Security
Abstraction-Based Misuse Detection: High-Level Specifications and Adaptable Strategies
CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
Log Auditing through Model-Checking
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
ACL '83 Proceedings of the 21st annual meeting on Association for Computational Linguistics
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Modeling network intrusion detection alerts for correlation
ACM Transactions on Information and System Security (TISSEC)
International Journal of Information and Computer Security
Runtime Verification
Formal analysis of intrusion detection systems for high speed networks
ISPACT'10 Proceedings of the 9th WSEAS international conference on Advances in e-activities, information security and privacy
Hi-index | 0.00 |
Misuse intrusion detection systems detect signatures of attack scenarios. Existing systems are split into two categories: transition-based and declarative. In the transition-based systems what are the significant traces of attacks is hidden behind how they should be detected. This means that writing a signature is a very heavy task. In the declarative systems the signatures only contain what are the significant traces of attacks and an algorith addresses how theyshould be detected. Writing signatures is thus much easier. However, the algorithm is a black box, and the security officer has no control over it.In this article, we propose to refine the declarative approach. We formally specify the algorithm in two stages: firstly we classify the signature instances, secondly we give a detection rule set which detects in an audit trail a representative of each class. The rules are formally specified with "parsing schemata", a high level formalism used to specify grammar parsers. The algorithm defined by the rules is proved sound and complete. With our approach, the what (signatures) and the how (detection algorithm) are still cleanly separated, but the security officer can possibly parameterize the detection by choosing a class for each signature.