The statl attack detection language
暂无分享,去创建一个
Computer systems and the networks that interconnect them are becoming increasingly critical resources, and consequently they are becoming more attractive targets of attack, whether by petty thieves and miscreants, professional spies and agents of hostile nations, or terrorists. Ideally, preventive measures would be perfect and neither detection nor recovery measures would be needed. The ideal of prevention is far from being reached, however, so detection and recovery measures are an important part of protecting computer resources.
Intrusion detection is done in two different ways. Anomaly detection attempts to specify “normal” behavior and monitors for its complement, because “abnormal” behavior is anomalous by definition, and anomalous behavior may be malicious. Misuse detection depends on a catalog of attack signatures and monitors for instances of those signatures.
The State Transition Analysis Technique (STAT) is a misuse detection approach first developed at UCSB in the early 1990s. Building on that work, additional research and development have produced an extensible, domain-independent framework for building intrusion detection systems. The new STAT framework includes several elements: the STATL language for writing attack signatures; the STAT core for implementing sensors; the CommSTAT communication infrastructure for STAT-based sensors to exchange alert messages and control directives in a secure way; and the MetaSTAT control infrastructure for controlling and monitoring a set of sensors.
The primary contribution of this dissertation is the definition of STATL. STATL was designed, defined, and developed as part of the STAT framework research project. Scenarios have been written for ten different STAT applications, demonstrating that STATL is powerful enough to support a wide variety of domains. Automated translation between STATL and other attack languages was investigated primarily as an efficient means of sharing signatures between different IDSs, but also as a very direct way of comparing attack language expressiveness and evaluating the implementability of language features. A classification scheme for attack languages was also developed.