Panoptis: Intrusion Detection Using a Domain-Specific Language

We describe the use of a domain-specific language (DSL) for expressing critical design values and constraints in an intrusion detection application. Through the use of this specialised language, information that is critical to the correct operation of the software can be expressed in a form that can be easily drafted, verified, and maintained by domain experts (security officers), thus minimising the risk inherent from the mediation of software engineers. Our application, Panoptis, is a DSL-based low-cost, easy-to-use intrusion detection system using the process accounting records kept by most Unix systems. A set of database tables contain resource usage profiles for processes, terminals, users, and time intervals. Panoptis monitors new process data against the recorded profiles and reports on entities diverging from the established resource usage envelopes implying possible data security threats. We demonstrate the operation of Panoptis by a case study of a real attack and subsequent system compromise that occured on a system under our administrative control.

[1]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[2]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[3]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[4]  Larry Wall,et al.  Programming Perl , 1991 .

[5]  Tong Zhou,et al.  Software design for reliability and reuse: a proof-of-concept demonstration , 1994, TRI-Ada '94.

[6]  Richard R. Linde,et al.  Operating system penetration , 1975, AFIPS '75.

[7]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[8]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[9]  R. Sekar,et al.  A high-performance network intrusion detection system , 1999, CCS '99.

[10]  Tom Duff,et al.  Experience with Viruses on UNIX Systems , 1989, Comput. Syst..

[11]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[12]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[13]  Diomidis Spinellis,et al.  Lightweight Languages as Software Engineering Tools , 1997, DSL.

[14]  Jeffrey Picciotto The Design of an Effective Auditing Subsystem , 1987, 1987 IEEE Symposium on Security and Privacy.

[15]  Stuart Staniford-chen,et al.  The Common Intrusion Detection Framework - Data Formats , 1998 .

[16]  Naji Habra,et al.  ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis , 1992, ESORICS.

[17]  Marcus J. Ranum,et al.  Implementing a generalized tool for network monitoring , 1997, Inf. Secur. Tech. Rep..

[18]  H. Javitz,et al.  IDES : The Enhanced Prototype A Real-Time Intrusion-Detection Expert System , 1988 .

[19]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[20]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[21]  Charles E. Kahn,et al.  A common intrusion detection framework , 2000 .

[22]  Armando P. Stettner The design and implementation of the 4.3BSD UNIX operating system , 1988 .

[23]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[24]  Michael Lesk,et al.  Language development tools , 1986 .

[25]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[26]  Peter J. Denning,et al.  Computers under attack: intruders, worms, and viruses , 1991 .