Abstract
Specification-based intrusion detection, where manually specified program behavioral specifications are used as a basis to detect attacks, have been proposed as a promising alternative that combine the strengths of misuse detection (accurate detection of known attacks) and anomaly detection (ability to detect novel attacks). However, the question of whether this promise can be realized in practice has remained open. We answer this question in this paper, based on our experience in building a specification-based intrusion detection system and experimenting with it. Our experiments included the 1999 DARPA/AFRL online evaluation, as well as experiments conducted using 1999 DARPA/Lincoln Labs offline evaluation data. These experiments show that an effective specification-based IDS can be developed with modest efforts. They also show that the specification-based techniques live up to their promise of detecting known as well as unknown attacks, while maintaining a very low rate of false positives.
This research is supported in part by Defense Advanced Research Agency (DARPA) under contract number F30602-97-C-0244.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
T. Bowen et al, Building Survivable Systems:An IntegratedApproach Based on Intrusion Detection and Confinement, DISCEX 2000.
CERT Coordination Center Advisories 1988-1998, http://www.cert.org/advisories/index.html.
Classification of system calls using security based criteria, http://seclab.cs.sunysb.edu/_prem/classifbody.html.
Specifications used for 1999 DARPA offline evaluation, http://seclab.cs.sunysb.edu/~prem/specs.html.
R. Lippmann, J.W. Haines, D. Fried, J. Korba and K. Das, The 1999 DARPA Off-line evaluation Intrusion Detection Evaluation, Computer Networks, 34, 2000.
SunSHIELD Basic Security Module Guide, http://docs.sun.com.
R. Sekar, Y. Guang, T. Shanbhag and S. Verma, A High-Performance Network Intrusion Detection System, ACM Computer and Communication Security Conference, 1999.
R. Sekar and P. Uppuluri, Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications, USENIX Security Symposium, 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Uppuluri, P., Sekar, R. (2001). Experiences with Specification-Based Intrusion Detection. In: Lee, W., Mé, L., Wespi, A. (eds) Recent Advances in Intrusion Detection. RAID 2001. Lecture Notes in Computer Science, vol 2212. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45474-8_11
Download citation
DOI: https://doi.org/10.1007/3-540-45474-8_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42702-5
Online ISBN: 978-3-540-45474-8
eBook Packages: Springer Book Archive