STATL: An attack language for state-based intrusion detection

Eckmann, Steven T.; Vigna, Giovanni; Kemmerer, Richard A.

doi:10.3233/jcs-2002-101-204

Cited by 239 publications

(151 citation statements)

References 15 publications

Supporting

Mentioning

145

Contrasting

Unclassified

Order By: Relevance

“…This is remarkable due the fact that most signature languages have an underlying strict semantic model (e.g. STATL [5], Bro [6], EDL [2]). The approach demonstrated here uses the signature description language EDL (Event Description Language) as example of a signature modeling language.…”

Section: On the Modeling Of Complex Signaturesmentioning

confidence: 99%

See 1 more Smart Citation

Identifying Modeling Errors in Signatures by Model Checking

Schmerl

Vogel

König

2009

Model Checking Software

View full text Add to dashboard Cite

Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and errorprone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming process to detect modeling errors. In this paper we present the first approach for verifying signature specifications using the SPIN model checker. The signatures are modeled in the specification language EDL which leans on colored Petri nets. We show how the signature specification is transformed into a PROMELA model and how characteristic specification errors can be found by SPIN. Keywords:Computer Security, Intrusion Detection, Misuse Detection, Attack Signatures, Signature Verification, PROMELA, SPIN model checker MotivationThe increasing dependence of human society on information technology (IT) systems requires appropriate measures to cope with their misuse. The enlarging technological complexity of IT systems increases the range of threats to endanger them. Besides traditional preventive security measures, such as encryption, authentication, access control mechanisms, etc, reactive approaches are more and more applied to counter these threats. Reactive approaches allow responses and counter-measures to security violations to prevent further damage. Intrusion detection systems (IDSs) have proved as one of the most important means to protect IT-systems. A wide range of commercial intrusion detection products is available, especially for misuse detection. Intrusion detection is based on the monitoring of IT-systems to detect security violations. The decision which activities are considered as security violations in a given context is defined by the used security policy. Two main complementary approaches are applied: anomaly and misuse detection. Anomaly detection aims at the exposure of abnormal user behavior. It requires a comprehensive set of data describing the normal user behavior. Although much research has been done in this area, it has still

show abstract

Section: On the Modeling Of Complex Signaturesmentioning

confidence: 99%

“…as finite state machines. Examples of such signature description languages are STATL [5], [3], Bro [6], IDIOT [7], and EDL [2], which define a strict semantic for the signatures. These languages though are mostly related to a concrete intrusion detection system.…”

Section: Motivationmentioning

confidence: 99%

Identifying Modeling Errors in Signatures by Model Checking

Schmerl

Vogel

König

2009

Model Checking Software

View full text Add to dashboard Cite

show abstract

“…Misuse detection models the patterns of known attacks or vulnerabilities, and identifies actions that conform to such patterns as attacks. Existing approaches include rule-based methods (e.g., ASAX [26], P-BEST [25]), state transition based methods [5], [14], and data mining approaches [22], [23]. Most of these techniques cannot be directly applied to sensor networks due to the resource constraints on sensor nodes.…”

Section: Intrusion Detectionmentioning

confidence: 99%

LAD: Localization anomaly detection for wireless sensor networks

Fang

Ningi

2006

Journal of Parallel and Distributed Computing

134

130

View full text Add to dashboard Cite

Abstract-In wireless sensor networks (WSNs), sensors' locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes.Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore.In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises.

show abstract

“…A technique for alert correlation based on state-transition graphs is shown in [3]. The use of finite state automata enables for complex scenario descriptions, but it requires known scenarios signatures.…”

Section: Problem Statement and State Of The Artmentioning

confidence: 99%

On the Use of Different Statistical Tests for Alert Correlation – Short Paper

Maggi

Zanero

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.In this paper we analyze the use of different types of statistical tests for the correlation of anomaly detection alerts. We show that the Granger Causality Test, one of the few proposals that can be extended to the anomaly detection domain, strongly depends on good choices of a parameter which proves to be both sensitive and difficult to estimate. We propose a different approach based on a set of simpler statistical tests, and we prove that our criteria work well on a simplified correlation task, without requiring complex configuration parameters.

show abstract

STATL: An attack language for state-based intrusion detection

Cited by 239 publications

References 15 publications

Identifying Modeling Errors in Signatures by Model Checking

Identifying Modeling Errors in Signatures by Model Checking

LAD: Localization anomaly detection for wireless sensor networks

On the Use of Different Statistical Tests for Alert Correlation – Short Paper

Contact Info

Product

Resources

About