Abstraction-based misuse detection: high-level specifications and adaptable strategies

A typical misuse detection system contains: (1) a language for describing known techniques (called misuse signatures) used by attackers to penetrate the target system, and (2) monitoring programs for detecting the presence of an attack based on the given misuse signatures. In most of the systems appearing in the literature, however, the description of misuses is often in terms of a low level language (i.e. in terms of audit records of the target system), that either has limited expressiveness or is difficult to use. Moreover the monitoring algorithms are often fixed and do not adapt to a changing operating environment or to objectives of the site security officer. To overcome these limitations, the paper defines a high level language for abstract misuse signatures (MuSigs). Due to the use of high level concepts, a MuSig can represent misuses in a simple form and yet with high expressiveness. The paper also introduces a set of system directives provided by the system designer in support of high level concepts. The paper then discusses ways to translate MuSigs into monitoring program with the help of the system directives. The adaptability of the system is obtained by the ability for the site security officer to add or delete system directives to change the behavior of the monitoring program.

[1]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[2]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[3]  Peter G. Neumann,et al.  IDES: A Progress Report , 1990 .

[4]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[5]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[6]  Shiuh-Pyng Shieh,et al.  A pattern-oriented intrusion-detection model and its applications , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Jennifer Widom,et al.  Active Database Systems , 1995, Modern Database Systems.

[8]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Donald Nute,et al.  Prolog Programming in Depth , 1988 .

[10]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[11]  Phil Porras STAT -- A State Transition Analysis Tool For Intrusion Detection , 1993 .

[12]  Eugene H. Spafford,et al.  An Application of Pattern Matching in Intrusion Detection , 1994 .

[13]  Won Kim,et al.  Modern Database Systems: The Object Model, Interoperability, and Beyond , 1995, Modern Database Systems.

[14]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[15]  Rangaswamy Jagannathan,et al.  SYSTEM DESIGN DOCUMENT: NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES) , 1993 .

[16]  Shiuh-Pyng Shieh,et al.  On a Pattern-Oriented Model for Intrusion Detection , 1997, IEEE Trans. Knowl. Data Eng..

[17]  Peter G. Neumann,et al.  IDES: a progress report (Intrusion-Detection Expert System) , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[18]  A. Prasad Sistla,et al.  Temporal Triggers in Active Databases , 1995, IEEE Trans. Knowl. Data Eng..

[19]  Koral Ilgun USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.