A Software Architecture to Support Misuse Intrusion Detection

Misuse Intrusion Detecl.ion has traditionally been understood in the literature as the detection of specific, precisely representable techniques of computer system abuse. Pattern matching is well disposed to the representation and detection of such abuse. Each specific method of abuse can be represented as a pattern and many of these can be matched simultaneously against the audit logs generated by the as kernel. Using relatively high level patterns to specify computer system abuse relieves the pattern writer from having to understand and encode the intricacies of pattern matching into a misuse detector. Patterns represent. a declarative way ofspecifying what needs Lo be detected, instead of specifying how it should be detected. We have devised a model of matching based on Colored Petri Nets specifically targeted for misuse intrusion detection. In this paper we present a software architecture for structuring a pattern matching solution to misuse intrusion detection. In the context of an object oriented prototype implementation we describe the abstract classes encapsulating generic functionality and the inter-relationships between the classes.

[1]  Eugene H. Spafford,et al.  An Application of Pattern Matching in Intrusion Detection , 1994 .

[2]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[3]  D.S. Bauer,et al.  NIDX-an expert system for real-time network intrusion detection , 1988, [1988] Proceedings. Computer Networking Symposium.

[4]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  C. A. R. Hoare,et al.  Monitors: an operating system structuring concept , 1974, CACM.

[6]  Kurt Jensen Coloured Petri Nets , 1992, EATCS Monographs in Theoretical Computer Science.

[7]  Eugene H. Spafford,et al.  The COPS Security Checker System , 1990, USENIX Summer.

[8]  Eugene H. Spafford,et al.  A Taxonomy of Common Computer Security Vulnerabilities Based on their Method of Detection , 1995 .

[9]  Andrew Birrell,et al.  Implementing remote procedure calls , 1984, TOCS.

[10]  Naji Habra,et al.  ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis , 1992, ESORICS.

[11]  Eugene H. Spafford,et al.  A PATTERN MATCHING MODEL FOR MISUSE INTRUSION DETECTION , 1994 .

[12]  Charles Petzold Programming Windows 3.1 , 1992 .

[13]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[14]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[15]  Harold Joseph Highland,et al.  A Pattern Matching Model for Misuse Intrusion Detection , 1995 .

[16]  Graham D. Parrington Reliable Distributed Programming in C++: The Arjuna Approach , 1990, C++ Conference.