Generating a Real-Time Constraint Engine for Network Protocols

In this paper, we present a practical approach to generate the constraint engine for an effective constraint-based intrusion detection system (IDS). The IDS framework was designed for safety-sensitive networks that involve limited-access closed networks such as the networks for command and control systems or Air Traffic Control (ATC) systems. The constraint engine generated by the framework supports real-time performance while ensuring the intended, normal behaviour of its target networks. We present the IDS framework in terms of its internal DSL representation as well as its transformation mechanisms to generate the constraint engine code. Comparing the autogenerated version against a manually implemented, optimized version of the constraint engine indicates no significant difference in terms of their performance.

[1]  A. J. Feelders,et al.  Classification trees for problems with monotonicity constraints , 2002, SKDD.

[2]  James R. Cordy,et al.  The TXL source transformation language , 2006, Sci. Comput. Program..

[3]  Thomas R. Dean,et al.  Context Sensitive and Secure Parser Generation for Deep Packet Inspection of Binary Protocols , 2017, 2017 15th Annual Conference on Privacy, Security and Trust (PST).

[4]  Won Hyung Park,et al.  Performance Comparison and Detection Analysis in Snort and Suricata Environment , 2017, Wirel. Pers. Commun..

[5]  Pierre Wolper,et al.  Reliable Hashing without Collosion Detection , 1993, CAV.

[6]  Brad Cain,et al.  Internet Group Management Protocol, Version 3 , 2002, RFC.

[7]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[8]  Philippe Flajolet,et al.  On the Analysis of Linear Probing Hashing , 1998, Algorithmica.

[9]  Mohammad Zulkernine,et al.  A Constraint-based intrusion detection system , 2017, ECBS.

[10]  Thomas R. Dean,et al.  SCL: a language for security testing of network applications , 2005, CASCON.

[11]  Cláudia Antunes,et al.  Pushing constraints into data streams , 2013, BigMine '13.

[12]  Olivier Baud,et al.  Radar / ADS-B data fusion architecture for experimentation purpose , 2006, 2006 9th International Conference on Information Fusion.

[13]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[14]  K Sreekumar,et al.  Survey on Constrained based Data Stream Mining , 2014 .

[15]  Brent Callaghan,et al.  NFS Version 3 Protocol Specification , 1995, RFC.

[16]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[17]  Gerardo Pardo-Castellote,et al.  OMG Data-Distribution Service: architectural overview , 2003, 23rd International Conference on Distributed Computing Systems Workshops, 2003. Proceedings..

[18]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[19]  Saiyan Saiyod,et al.  Improving Intrusion Detection System based on Snort rules for network probe attack detection , 2014, 2014 2nd International Conference on Information and Communication Technology (ICoICT).

[20]  Karen R. Sollins,et al.  TFTP Protocol (revision 2) , 1981, RFC.