Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben

2000 | Buch

Better Logging through Formality Kapitel lesen Erstes Kapitel lesen

Recent Advances in Intrusion Detection

Third International Workshop, RAID 2000 Toulouse, France, October 2–4, 2000 Proceedings

herausgegeben von: Hervé Debar, Ludovic Mé, S. Felix Wu

Verlag: Springer Berlin Heidelberg

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Professional Book Archive

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Since 1998, RAID has established its reputation as the main event in research on intrusion detection, both in Europe and the United States. Every year, RAID gathers researchers, security vendors and security practitioners to listen to the most recent research results in the area as well as experiments and deployment issues. This year, RAID has grown one step further to establish itself as a well-known event in the security community, with the publication of hardcopy proceedings. RAID 2000 received 26 paper submissions from 10 countries and 3 continents. The program committee selected 14 papers for publication and examined 6 of them for presentation. In addition RAID 2000 received 30 extended abstracts proposals; 15 of these extended abstracts were accepted for presentation. - tended abstracts are available on the website of the RAID symposium series, http://www.raid-symposium.org/. We would like to thank the technical p- gram committee for the help we received in reviewing the papers, as well as all the authors for their participation and submissions, even for those rejected. As in previous RAID symposiums, the program alternates between fun- mental research issues, such as newtechnologies for intrusion detection, and more practical issues linked to the deployment and operation of intrusion det- tion systems in a real environment. Five sessions have been devoted to intrusion detection technology, including modeling, data mining and advanced techniques.

Inhaltsverzeichnis

Frontmatter

Logging

Better Logging through Formality
Applying Formal Specification Techniques to Improve Audit Logs and Log Consumers
Abstract
We rely on programs that consume audit logs to do so successfully (a robustness issue) and form the correct interpretations of the input (a semantic issue). The vendor’s documentation of the log format is an important part of the specification for any log consumer. As a specification, it is subject to improvement using formal specification techniques. This work presents a methodology for formalizing and refining the description of an audit log to improve robustness and semantic accuracy of programs that use the log. Ideally applied during design of a new format, the methodology is also profitably applied to existing log formats. Its application to Solaris BSM (an existing, commercial format) demonstrated utility by detecting ambiguities or errors of several types in the documentation or implementation of BSM logging, and identifying opportunities to improve the content of the logs. The products of this work are the methodology itself for use in refining other log formats and their consumers, and an annotated, machine-readable grammar for Solaris BSM that can be used by the community to quickly construct applications that consume BSM logs.
Chapman Flack, Mikhail J. Atallah
A Pattern Matching Based Filter for Audit Reduction and Fast Detection of Potential Intrusions
Abstract
We present a pattern matching approach to the problem of misuse detection in a computer system, which is formalized as the problem of multiple approximate pattern matching. This permits very fast searching of potential attacks. We study the probability of matching of the model and its relation to the filtering efficiency of potential attacks within large audit trails. Experimental results show that in a worst case, up to 85 % of an audit trail may be filtered out when searching a set of attacks without probability of false negatives. Moreover, by filtering 98 % of the audit trail, up to 50 % of the attacks may be detected.
Josué Kuri, Gonzalo Navarro, Ludovic Mé, Laurent Heye
Transaction-Based Pseudonyms in Audit Data for Privacy Respecting Intrusion Detection
Abstract
Privacy and surveillance by intrusion detection are potentially conflicting organizational and legal requirements.In order to support a balanced solution, audit data is inspected for personal data and identifiers referring to real persons are substituted by transaction-based pseudonyms. These pseudonyms are constructed as shares for a suitably adapted version of Shamir’s cryptographic approach to secret sharing. Under sufficient suspicion, expressed as a threshold on shares, audit analyzers can perform reidentification.
Joachim Biskup, Ulrich Flegel

Data Mining

A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions
Abstract
As the recent distributed Denial-of-Service (DDOS) attacks on several major Internet sites have shown us, no open computer network is immune from intrusions. Furthermore, intrusion detection systems (IDSs) need to be updated timely whenever a novel intrusion surfaces; and geographically distributed IDSs need to cooperate to detect distributed and coordinated intrusions. In this paper, we describe an experimental system, based on the Common Intrusion Detection Framework (CIDF), where multiple IDSs can exchange attack information to detect distributed intrusions. The system also includes an ID model builder, where a data mining engine can receive audit data of a novel attack from an IDS, compute a new detection model, and then distribute it to other IDSs. We describe our experiences in implementing such system and the preliminary results of deploying the system in an experimental network.
Wenke Lee, Rahul A. Nimbalkar, Kam K. Yee, Sunil B. Patil, Pragneshkumar H. Desai, Thuan T. Tran, Salvatore J. Stolfo
Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report
Abstract
The use of program execution traces to detect intrusions has proven to be a successful strategy. Existing systems that employ this approach are anomaly detectors, meaning that they model a program’s normal behavior and signal deviations from that behavior. Unfortunately, many program-based exploits of NT systems use specialized malicious executables. Anomaly detection systems cannot deal with such programs because there is no standard of “normalcy” that they deviate from.
This paper is a preliminary report on an attempt to remedy that situation. We report on a prototype system that learns to identify specific program behaviors. Though the goal is to identify malicious behavior, in this paper we report on experiments seeking to identify the behavior of the web-browser, since we did not have enough exemplars of malicious behavior to use as training data.
Using automatically generated finite automata, we search for features in execution traces that allow us to distinguish browsers from other programs. In our experiments, we find that this technique does, in fact, allow us to distinguish traces Internet Explorer from traces of programs that are not web browsers, after training with Netscape and a different set of non-browsers.
Christoph Michael, Anup Ghosh

Modeling Process Behavior

Adaptive, Model-Based Monitoring for Cyber Attack Detection
Abstract
Inference methods for detecting attacks on information resources typically use signature analysis or statistical anomaly detection methods. The former have the advantage of attack specificity, but may not be able to generalize. The latter detect attacks probabilistically, allowing for generalization potential. However, they lack attack models and can potentially “learn” to consider an attack normal.
Herein, we present a high-performance, adaptive, model-based technique for attack detection, using Bayes net technology to analyze bursts of traffic. Attack classes are embodied as model hypotheses, which are adaptively reinforced. This approach has the attractive features of both signature based and statistical techniques: model specificity, adaptability, and generalization potential. Our initial prototype sensor examines TCP headers and communicates in IDIP, delivering a complementary inference technique to an IDS sensor suite. The inference technique is itself suitable for sensor correlation.
Alfonso Valdes, Keith Skinner
A Real-Time Intrusion Detection System Based on Learning Program Behavior
Abstract
In practice, most computer intrusions begin by misusing programs in clever ways to obtain unauthorized higher levels of privilege. One effective way to detect intrusive activity before system damage is perpetrated is to detect misuse of privileged programs in real-time. In this paper, we describe three machine learning algorithms that learn the normal behavior of programs running on the Solaris platform in order to detect unusual uses or misuses of these programs. The performance of the three algorithms has been evaluated by an independent laboratory in an off-line controlled evaluation against a set of computer intrusions and normal usage to determine rates of correct detection and false alarms. A real-time system has since been developed that will enable deployment of a program-based intrusion detection system in a real installation.
Anup K. Ghosh, Christoph Michael, Michael Schatz
Intrusion Detection Using Variable-Length Audit Trail Patterns
Abstract
Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.
Andreas Wespi, Marc Dacier, Hervé Debar
Flexible Intrusion Detection Using Variable-Length Behavior Modeling in Distributed Environment: Application to CORBA Objects
Abstract
This paper presents an approach of the intrusion detection problem applied to CORBA-type distributed environments. The approach is based on the measure of deviation from client reference behaviors towards the CORBA servant objects to be protected. We consider a client behavior as a sequence of invoked requests between each couple of client-server, during each connection of the observed client. We construct, during a training period, a client behavior model based on variable-length branches tree representation. This model both takes into account the series of invoked requests and their parameter values. To make our approach more flexible, we construct, at the end of the training period, a tolerance interval for each numerical parameter. These intervals allow deviation between observed and learned values to be measured. This article presents our preliminary results and introduces our future works.
Zakia Marrakchi, Ludovic Mé, Bernard Vivinis, Benjamin Morin

IDS Evaluation

The 1998 Lincoln Laboratory IDS Evaluation
A Critique
Abstract
In 1998 (and again in 1999), the Lincoln Laboratory of MIT conducted a comparative evaluation of Intrusion Detection Systems developed under DARPA funding. While this evaluation represents a significant and monumental undertaking, there are a number of unresolved issues associated with its design and execution. Some of methodologies used in the evaluation are questionable and may have biased its results. One of the problems with the evaluation is that the evaluators have published relatively little concerning some of the more critical aspects of their work, such as validation of their test data. The purpose of this paper is to attempt to identify the shortcomings of the Lincoln Lab effort in the hope that future efforts of this kind will be placed on a sounder footing. Some of the problems that the paper points out might well be resolved if the evaluators publish a detailed description of their procedures and the rationale that led to their adoption, but other problems clearly remain.
John McHugh
Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation
Abstract
Eight sites participated in the second DARPA off-line intrusion detection evaluation in 1999. Three weeks of training and two weeks of test data were generated on a test bed that emulates a small government site. More than 200 instances of 58 attack types were launched against victim UNIX and Windows NT hosts. False alarm rates were low (less than 10 per day). Best detection was provided by network-based systems for old probe and old denial-of-service (DoS) attacks and by host-based systems for Solaris user-to-root (U2R) attacks. Best overall performance would have been provided by a combined system that used both host- and network-based intrusion detection. Detection accuracy was poor for previously unseen new, stealthy, and Windows NT attacks. Ten of the 58 attack types were completely missed by all systems. Systems missed attacks because protocols and TCP services were not analyzed at all or to the depth required, because signatures for old attacks did not generalize to new attacks, and because auditing was not available on all hosts.
Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, Kumar Das
Using Rule-Based Activity Descriptions to Evaluate Intrusion-Detection Systems
Abstract
After more than a decade of development, there are now many commercial and non-commercial intrusion-detection systems (IDSes) available. However, they tend to generate false alarms at high rates while overlooking real threats. The results described in this paper have been obtained in the context of work that aims to identify means for supporting the analysis, evaluation, and design of large-scale intrusion-detection architectures. We propose a practical method for evaluating IDSes and identifying their strengths and weaknesses. Our approach shall allow us to evaluate IDSes for their capabilities, unlike existing approaches that evaluate their implementation. It is furthermore shown how the obtained knowledge can be used to analyze and evaluate an IDS.
Dominique Alessandri

Modeling

LAMBDA: A Language to Model a Database for Detection of Attacks
Abstract
This article presents an attack description language. This language is based on logic and uses a declarative approach. In the language, the conditions and effects of an attack are described with logical formulas related to the state of the target computer system. The various steps of the attack process are associated to events, which may be combined using specific algebraic operators. These elements provide a description of the attack from the point of view of the attacker. They are complemented with additional elements corresponding to the point of view of intrusion detection systems and audit programs. These detection and verification aspects provide the language user with means to tailor the description of the attack to the needs of a specific intrusion detection system or a specific environment.
Frédéric Cuppens, Rodolphe Ortalo
Target Naming and Service Apoptosis
Abstract
The volume of traffic on security mailing lists, bulletin boards, news forums, et cetera has grown so sharply in recent times that it is no longer feasible for a systems administrator to follow all relevant news as a background task; it has become a full-time job. Even when relevant information does eventually reach the systems administrator, there is, often a dangerous window between public knowledge of a vulnerability and the administrators ability to correct it. Automated responses mechanisms are the key to closing these vulnerability windows. We propose a database of likely areas of vulnerability, called targets, in a machine readable and filterable manner so that administrators can greatly reduce the amount of security mail to be read. We then propose a cryptographically secure service with which semi-trusted third parties can act in a manner limited by the system administrator, say shutting down a specific service while not allowing general access, to diminish the window of vulnerability.
James Riordan, Dominique Alessandri
Backmatter
Metadaten
Titel
Recent Advances in Intrusion Detection
herausgegeben von
Hervé Debar
Ludovic Mé
S. Felix Wu
Copyright-Jahr
2000
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-540-39945-2
Print ISBN
978-3-540-41085-0
DOI
https://doi.org/10.1007/3-540-39945-3