Execution monitoring of security-critical programs in distributed systems: a specification-based approach

Ko, Calvin; Ruschitzka, Manfred; Levitt, Karl N.

doi:10.1109/secpri.1997.601332

Cited by 211 publications

(137 citation statements)

References 7 publications

Supporting

Mentioning

134

Contrasting

Unclassified

Order By: Relevance

“…Anomaly-based approaches [1,5,10] that attacks involve some abnormal behaviour of the system that is being monitored. Intrusions are, thus, detected as deviations from the expected normal behaviour of the system.…”

Section: Related Workmentioning

confidence: 99%

“…Furthermore, since threats are detected as deviations from a model of normal behaviour (that is expressed by the rules which are specified in S&D patterns and are being monitored), our approach can also be classified as model or specification-based [1,10]. Finally, we should note that our approach has some similarity with statistical approaches to intrusion detection based on Bayesian networks (e.g.…”

Section: Related Workmentioning

confidence: 99%

“…These edges indicate the paths for obtaining a basic probability for E j when any of the events E i is observed. Also an opposite edge from E j to each of the events E i is created provided that E j is not a negated event (see lines [10][11][12]. The latter edges will be used when E j is observed before E i in order to indicate how the basic probability of E i can be computed given E j .…”

mentioning

confidence: 99%

See 2 more Smart Citations

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Tsigkritis

Spanoudakis

Kloukinas

et al. 2009

Security and Dependability for Ambient Intelligence

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract The SERENITY monitoring framework offers mechanisms for diagnosing the causes of violations of security and dependability (S&D) properties and detecting potential violations of such properties, called "threats". Diagnostic information and threat detection are often necessary for deciding what an appropriate reaction to a violation is and taking pre-emptive actions against predicted violations, respectively. In this chapter, we describe the mechanisms of the SERENITY monitoring framework which generate diagnostic information for violations of S&D properties and detecting threats. Permanent

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Tsigkritis

Spanoudakis

Kloukinas

et al. 2009

Security and Dependability for Ambient Intelligence

View full text Add to dashboard Cite

show abstract

“…Anomaly detection models the normal behaviors of the subjects being monitored and identifies anything that significantly deviates from the normal behaviors as attacks. Many techniques have been proposed for anomaly detection, including statistical approaches (e.g., Haystack [36], NIDES/STAT [15]), machine learning approaches (e.g., TIM [37], IBL [20]), computer immunological approaches [7], [8], [39], and specification based approaches [17], [18], [35], [38]. Misuse detection models the patterns of known attacks or vulnerabilities, and identifies actions that conform to such patterns as attacks.…”

Section: Intrusion Detectionmentioning

confidence: 99%

LAD: Localization anomaly detection for wireless sensor networks

Fang

Ningi

2006

Journal of Parallel and Distributed Computing

134

130

View full text Add to dashboard Cite

Abstract-In wireless sensor networks (WSNs), sensors' locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes.Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore.In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises.

show abstract

“…Ilgun et al [10] propose the use of finite state transition diagrams to specify sequences of actions that would lead the system from a secure initial state to a compromised final state. Ko et al [11] introduce a new class of grammars, called parallel environment grammars that are specifically suitable for specifying behavior (traces) of concurrent processes. The expected behavior of security critical programs is specified by a grammar, and an alarm is raised if the observed execution trace is not in the language defined by the grammar.…”

Section: Background and Motivationmentioning

confidence: 99%

A Temporal Logic Based Framework for Intrusion Detection

Naldurg

Sen

Thati

2004

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We propose a framework for intrusion detection that is based on runtime monitoring of temporal logic specifications. We specify intrusion patterns as formulas in an expressively rich and efficiently monitorable logic called Eagle. Eagle supports data-values and parameterized recursive equations, and allows us to succinctly express security attacks with complex temporal event patterns, as well as attacks whose signatures are inherently statistical in nature. We use an online monitoring algorithm that matches specifications of the absence of an attack, with system execution traces, and raises an alarm whenever the specification is violated. We present our implementation of this approach in a prototype tool, called Monid and report our results obtained by applying it to detect a variety of security attacks in log-files provided by DARPA.

show abstract

Execution monitoring of security-critical programs in distributed systems: a specification-based approach

Cited by 211 publications

References 7 publications

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

Diagnosis and Threat Detection Capabilities of the SERENITY Monitoring Framework

LAD: Localization anomaly detection for wireless sensor networks

A Temporal Logic Based Framework for Intrusion Detection

Contact Info

Product

Resources

About