LAMBDA: A Language to Model a Database for Detection of Attacks

This article presents an attack description language. This language is based on logic and uses a declarative approach. In the language, the conditions and effects of an attack are described with logical formulas related to the state of the target computer system. The various steps of the attack process are associated to events, which may be combined using specific algebraic operators. These elements provide a description of the attack from the point of view of the attacker. They are complemented with additional elements corresponding to the point of view of intrusion detection systems and audit programs. These detection and verification aspects provide the language user with means to tailor the description of the attack to the needs of a specific intrusion detection system or a specific environment.